memory spy
The Password Game
Please choose a password
Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us | InformIT
175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct ThemCybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result.
The Security Pipeline - DevOps.com
Integrating security solutions into DevOps toolchains will take effort, but once in place they will enhance application security.
API Security: Is Authorization the Biggest Threat?
Authorization is the largest vulnerability area that is not protected well and represents the biggest current risk for API security.
CISA and Partners Release Joint Guide to Securing Remote Access Software | CISA
Here’s how long it takes new BrutePrint attack to unlock 10 different smartphones
BrutePrint requires just $15 of equipment and a little amount of time with a phone.
Lessons from 'Star Trek: Picard'—A cybersecurity expert explains how a sci-fi series illuminates today's threats
(Editor's note: This article contains plot spoilers.) Society's understanding of technology and cybersecurity often is based on simple stereotypes and sensational portrayals in the entertainment media. I've written about how certain scenarios are entertaining but misleading. Think of black-clad teenage hackers prowling megacities challenging corporate villains. Or think of counterintelligence specialists repositioning a satellite from the back of a surveillance van via a phone call.
How to fix a ReDoS | The GitHub Blog
Code scanning detects ReDoS vulnerabilities automatically, but fixing them isn’t always easy. This blog post describes a 4-step strategy for fixing ReDoS bugs.
Runtime Security: Relevancy Is What Counts
Security best practices have emerged, including those for cloud native deployments. However, that remains a work in progress.
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
Pipeline controls can only ensure security and compliance for changes that have gone through the pipeline. They don't account for "dark deploys" from bad actors who access production by going around the golden path.
Internet Identity Workshop 36 Report
Last week's IIW was great with many high intensity discussions of identity by people from across the globe.
ETHOS | Emerging Threat Open Sharing
ETHOS is the OT-centric, open-source platform for sharing anonymous early warning threat information.
Mysk🇨🇦🇩🇪 (@[email protected])
Attached: 4 images
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
#Privacy #Cybersecurity #InfoSec #2FA #Google #Security
Shodan
Search engine of Internet-connected devices. Create a free account to get started.
The War on Passwords Enters a Chaotic New Phase
The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.
There's Been a 400% Increase in Unique API Attackers
Salt Security finds It's well past time for us to lock down our application programming interfaces.
How automation eases the burden of cloud permissions management for security teams
Entitle has raised $15 million in seed funding for a solution designed to automate identity permissions management in the cloud.
Digital Signature vs. Electronic Signature: Which Do You Need? - Make Tech Easier
Were you supposed to sign an electronic document? Come look deeper into what makes your electronic signature as secure as it should be.
Using Subnet Filtering for Enhanced SSRF Protection
In this guide, we will explain what SSRF attacks are and how you can protect against them with open-source Svix
Authenticate with OpenID Connect and Apache APISIX
Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure. OpenID Connect The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2
Highlights from the New U.S. Cybersecurity Strategy
The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House's new national cybersecurity…
What Is a Message Authentication Code (MAC)?
In secure website connections, a message authentication code (MAC) helps authenticate a message and its data integrity so you know its legit.
Serious Security: How to store your users’ passwords safely
Following our popular article explaining what Adobe did wrong with its users’ passwords, a number of readers asked us, “Why not publish an article showing the rest of us how to do it ri…
Password strength explained
I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.
The Cyber Defense Assistance Imperative – Lessons from Ukraine
Leaders will draw lessons from Ukraine for years, but one is already clear: delivering cyber defense assistance must be a key national security capability.
Let's build a Chrome extension that steals everything
Today's adventure: DIY whole hog data exfiltration
The top security threats to GraphQL APIs and how to address them - Help Net Security
Attackers have sophisticated, automated methods of prodding GraphQL deployments for security weaknesses, so stay alert about threats.
What Will It Take? - Schneier on Security
'They're getting smarter and smarter': Woman warns of newest fraud tactic after scammer called from her bank's phone number
A woman shares her story on TikTok of almost being scammed by someone pretending to be a caller from her bank.