48 Matching Annotations
  1. Last 7 days
    1. Some cybersecurity tasks can be outsourced, however, to extend staff and/or acquire specialized skills.

      In what way can service providers have offerings that distinguish them from others?

    2. What were once clear distinctions among hardware, software, cloud, and services and between primary and secondary suppliers continue to blur and overlap to the point where they're no longer distinguishable as separate categories. That raises questions and challenges about identifying the perimeter—or, where institutionally owned and managed technology infrastructure ends. Additionally, the integration between technology run in-house and that run by an external supplier continues to blur boundaries between consumers' responsibilities and suppliers' responsibilities. That, in turn, creates the challenge of clarifying which technology and data components can and should be secured by institutions versus by suppliers versus by end users and, thus, where security risk factors and responsibilities reside. Sometimes suppliers' security and privacy controls may not be as tight as institutions require or realize.

      The overlap between these areas is going to required increased communication between service providers and campus personnel, and probably helping students/faculty understand where reporting of issues needs to happen.

  2. Nov 2021
    1. Dogadać się z firmami z podobnej branży i umieszczać u siebie zdjęcia ich produktów, bez żadnego kodu. Napisać czasem (odpowiednio oznaczony) artykuł sponsorowany. Dodać link do bezpośrednich wpłat na swoje konto. Pomysłów jest multum. Niestety wielu wybrało najłatwiejszą opcję i podpięcie się pod globalne sieci reklamowe. Niekoniecznie zyskują na tym „partnerstwie”. Elementy reklamowe zbierają informacje o użytkownikach nawet jeśli ich nie klikniemy (a zatem i tak nie przyniesiemy zarobków właścicielom stron).

      Why it's worth to use ad blockers & how site owners could replace this business model

    1. I’ll recap the steps in case you got lost. I start with the assumption that I’ve already downloaded the invite.ics file.

      5 simple steps how to spoof invite.ics files

  3. Oct 2021
    1. A screenshot from the document providing an overview of different data retention periods. Image: Motherboard.

      Is it possible that FBI stores this data on us?

    1. UPDATE--SHA-1, the 25-year-old hash function designed by the NSA and considered unsafe for most uses for the last 15 years, has now been “fully and practically broken” by a team that has developed a chosen-prefix collision for it.

      SHA-1 has been broken; therefore, make sure not to use it in a production based environment

  4. Aug 2021
  5. May 2021
  6. Apr 2021
    1. The facility, which includes a virtual reality lab and 3-D printer, houses the multimedia, data analytics and cybersecurity classes. S



  7. Mar 2021
    1. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283

      Noticing a common text structure across all of the NIST guides. Another shout out to FISMA

    1. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

      Definition of FCI

    1. Potential Impact on Organizations and Individuals

      Low = limited moderate = serious high = severe or catastrophic

    2. Security Objectives

      FISMA outlines three objectives around security:

      1. Confidentiality'
      2. Integrity
      3. Availability

      The low, medium, and high refer what risk of potential impact would the data have in any of the three got breached.

    1. pprove accreditation criteria for third-party assessment organizations (3PAOs) to provide independent assessments of CSPs’ implementation of the FedRAMP security authorization requirements9

      This is similar to the C3PAO model in cmmc

    2. Federal Risk and Authorization Management Program (FedRAMP)

      Created in 2011 by the OMB in compliance with FISMA act of 2002.

    1. The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC);10

      System Development Life Cycle,

      thing to stress requires a continuous monitoring and reporting system in place.

    2. Executive Order (E.O.) 13800 requires federal agencies to modernize their IT infrastructure and systems and recognizes the increasing interconnectedness of federal information systems and networks.

      People will need to know the requirement to modernize federal IT

    3. OMB Circular A-130,Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII).

      How we have to manage PII

    1. The SEI team dug into the CERT Resilience Management Model (CERT-RMM), the SEI's foundational process improvement approach to operational resilience management.

      People will need to know the process maturity approach derived from CERT-RMM

    2. Process maturity is stickiness, or how well the technical practices are embedded in the organization.

      Definition of process maturity. history of cmmc

    3. retain all the practices from NIST 800-171, and find a way for DIB members of varying cyber-sophistication to participate without POAMs.

      history of cmmc, two requirements and the connection to nist-800-171

    1. blication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.

      Find the FISMA act

  8. Dec 2020
    1. BlackArch is a Linux distribution designed for penetration testing and security research. You can think of it like Kali Linux, with the exception of being based on Arch Linux. Its official repositories contain more than +2500 various penetration testing tools, and hence it can be considered a very good option for anyone wishing to explore this field and try to hack their own phones/routers/devices during the quarantine time.

      BlackArch <--- kind of Kali Linux based on Arch Linux

  9. Nov 2020
    1. Today, we’re excited to open up a beta of a third approach to keeping web browsing safe with Cloudflare Browser Isolation. Browser sessions run in sandboxed environments in Cloudflare data centers in 200 cities around the world, bringing the remote browser milliseconds away from the user so it feels like local web browsing.

      Cloudflare introduces sandboxed web browsing. It's like a browser inside a browser, so we can rest assured that we won't be infected by the websites we visit

  10. Sep 2020
    1. "Dorks" are search lines that utilize the search engine different features, with targeted search strings to pinpoint results. Here's a fun list of Google searches from the exploit DB.

      Database of Google's Dorks: Google Hacking Database

    2. The internet archive, also known as the "Wayback Machine" holds periodic scans of websites all over the internet for years and years back. This is a mining field for hackers with a target. With tools like waybackcurls (based on waybackcurls.py) one can scan any target of old files. This means that even if you've found and removed a key but did not rotate it, a hacker might still find it in an old version of your website and use it against you.

      Hackers do use Wayback machine to find specific security flaws on your website

    3. Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use Rotate keys and passwords constantly, employ and enforce rotation policies Scan your code regularly. Preferably as part of the release process Delegate login profiles and access management to one central system where you control and monitor

      20% actions for 80% of effect to protect your API keys/passwords/SSH encrypted keys/certificates

    1. With your passport number, someone could: Book an international flight as youFootnote 2626. Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government) Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything) who knows what else, not me, bc i have never done a crime

      What can be done with out passport number

    2. I’d now found Tony Abbott’s: Passport details Phone number Weird Qantas staff comments.

      What information can be found on the "Manage Booking" page inside the website code

  11. Jun 2020
    1. Wyróżniamy 2 podstawowe metody wykrywania malware(można mówić o większej ilości, jednak na potrzeby przybliżenia podstaw wspomnę tylko o dwóch):

      2 ways antiviruses detect malware:

      • Signature-Based Detection - based on signatures (known byte sequences) updated continuously. For example, the method deletes software immediately after it's downloaded
      • Heuristic and Behavioral-Based Detection - based on malware's "behaviour" (each of its instructions)
    1. xposed the collective vulnerability to disruption and abuse. In one week in April 2020, there were over 18 million daily malware and

      It is important to underline that doesn't mean we have seen the surge in numbers of attacks or new malware (eg. AV test shows rather average number of new malware discovered throughout the top pandemics month comparing to last years: https://www.av-test.org/en/statistics/malware/). Instead, we are seeing new types of threats which take Covid19 as context: either specific phishing campaigns which are based on Covid19 hooks, or greater consequences of attacks against critical infrastructure like hospitals and medical centers - but also e-learning and e-commerce platforms (see the short video summary of threats: https://www.youtube.com/watch?v=XFCV_wIIEr8 ).

  12. May 2020
    1. The most common method of preventing CSRF is by generating a secret random string, known as a CSRF token, on the server, and checking for that token when the client performs a write.

      To completely defend the CSRF attack, one needs to generate a CSRF token

    2. CORS relaxes the Same-Origin Policy (SOP), a critical security measure that prevents scripts on one site (e.g. the attacker’s site) from accessing sensitive data on another site (e.g. the Definitely Secure Bank portal). If something was protecting you from CSRF, it would be the SOP.

      Thanks to Cross-Origin Resource Sharing (CORS), Same-Origin Policy (SOP) is being relaxed and CSRF is blocked from cross-origin reads, but not from writes (so POST is still effective but attacker cannot read the response)

    3. Cross-Site Request Forgery is a web security exploit where an attacker induces a victim to perform an action they didn’t mean to. In this case, the attacker tricked you into unintentionally transferring them money.

      Cross-Site Request Forgery (CSRF) attack example: sending cookies to the origin (bank site) even when the request originates from a different origin

  13. May 2019
    1. Several Businesses prefer to outsource their IoT Security compliance to third party agencies to ensure security measures to maintain IoT security and Device security of the organization. However merely entrusting your security compliance framework with an external body does not mitigate your risk of falling prey to Cyber Attacks and IoT security breaches. You need to ensure that the compliance framework takes into consideration the following factors in security audit checklist:

      IoT Security Compliance audit checklist must be followed by all developers working in this domain. Doing so can effectively prevent cyber attacks that have become so common.

  14. Nov 2017
    1. As an example, one of the most significant problems in healthcare security is the need for users to authenticate quickly to shared workstations in clinical environments. I could see a future version of Face ID embedded in an iMac solving that problem, changing an entire industry, and selling a lot of iMacs!

      Sounds very unlikely.

    1. Perhaps they will learn something about how a hacker can gain access to Web sites and why there is a burden on those of us who create on the Web to also secure what we create.
    1. Obviously, securing student data is critical. There are a lot of data sharing services that shouldn’t be offered until that security can be guaranteed.
  15. Feb 2017
    1. IBM research estimates that security teams have to deal with, on average, 200,000 individual events every single day.

      Wow, scary number!

    2. Evan and Mike Spisak invented an interface that could help fundamentally improve how cybersecurity works.

      Cybersecurity advances

  16. Jun 2016
    1. The cause of the security breach is under investigation by the University of Maryland Police Department, the U.S. Secret Service and federal law enforcement authorities, as well as forensic computer investigators.

      Despite this deposition from two years ago, U. Md. still hasn’t updated this page.

  17. Dec 2015
    1. Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)
    1. A group of 19 civil liberties organizations from across the political spectrum this morning issued a letter to the White House and Congress urging lawmakers to oppose the final “conferenced” version of a dangerous cyber bill that experts say will dramatically expand government surveillance while failing to make us safer from cyber attacks.
    1. "It makes zero sense to lock up this information forever," said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. "Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from."

      I used to think the most fanciful thing about the movie "War Games" was not the A.I., but the defense computer connected to a public network. But if industrial control systems can be reached by the Internet or other public lines -- then maybe the government is that stupid.