Jacob Kaplan-Moss

221 items tagged β€œsecurity”

πŸ“Œ Reviews of U2F devices

Roundup of the various U2F devices on the market right now. Critically also includes information on which can store TOTP secrets (a key use-case for me). #

πŸ“Œ Personal data removal & credit freeze guide workbook [PDF]

An exhaustive workbook/checklist guiding freezing credit and scrubbing personal data from the web. This is most comprehensive guide to this sort of thing I’ve found. #

πŸ“Œ Startups: Recruiting for Compliance – Kat Valentine – Medium #
πŸ“Œ ImperialViolet - Security Keys #
πŸ“Œ Fleetsmith: Secure, cloud-based Mac management via G Suite

Looks like a great alternative to Casper. #

πŸ“Œ The SaaS CTO Security Checklist #
πŸ“Œ GitHub - minimaxir/big-list-of-naughty-strings: The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data. #
πŸ“Œ Auditing code for crypto flaws: the first 30 minutes #
πŸ“Œ Serverless Security implicationsβ€”from infra to OWASP | Snyk #
πŸ“Œ ThreatHunting Home

Good resources (playbooks, links, tools) for threat hunting. #

πŸ“Œ 1225 - LastPass: global properties can be modified across isolated worlds, allowing remote code execution - project-zero - Monorail

Another Tavis/P0 password manager finding. Could affect other types of plugins, so if you write one, worth reading. Also worth reading through to see a good example of a researcher and vendor working closely to understand a complex issue and deploy a systemic fix. #

πŸ“Œ dxa4481/truffleHog: Searches through git repositories for high entropy strings, digging deep into commit history

A different approach to finding secrets in git repos: rather than pattern matching, look for strings with high entropy. Interesting! #

πŸ“Œ Into the symmetry: CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"

A variation of the a classic OAuth vulnerabilty. These shorts of things are depressingly common, and this is why people sometimes talk about OAuth itself as being insecure. #

πŸ“Œ Tabletops for Bug Bounty #
πŸ“Œ Lessons Learned in Detection Engineering – Ryan McGeehan – Medium

Ryan nails it, as usual. #

πŸ“Œ CVE-2017-7240 - An issue was discovered on Miele Professional PG 8528 PST10 devices. The corresponding embedded webs - CVE-Search

A CVE for a dishwasher. SIGH. #

πŸ“Œ Alexsey’s TTPs

What a real attacker does. No 0days, all chained exploits. Very worth studying, in detail. #

πŸ“Œ AWS IAM Policies in a Nutshell #
πŸ“Œ Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates - Google Groups

Google has effectively lost trust in Symantec, proposes to distrust all their certs over the coming months. #

πŸ“Œ Battery Status Not Included: Assessing Privacy in W3C Web Standards

β€œBattery Status API is a browser feature that was meant to allow websites access the information concerning the battery state of a user device. This seemingly innocuous mechanism initially had no identified privacy concerns. However, following my previous research work in collaboration with Gunes Acar this view has changed (Leaking Battery and my later note).” #

πŸ“Œ Back to Basics: Beyond Network Hygiene #
πŸ“Œ Dashboard β€” badssl.com

Check your network for broken SSL MITMing. #

πŸ“Œ iOS_Security_iOS_10_Mar2017 #
πŸ“Œ YETI #
πŸ“Œ ThreatSpec β€” Continuous threat modelling, through code #
πŸ“Œ GitHub Enterprise Remote Code Execution #
πŸ“Œ The Account Takeover Runbook – Ryan McGeehan – Medium https://medium.com/@magoo/the-account-takeover-runbook-ab8ae163f616#.7sy00cnyn #
πŸ“Œ HTTPS Interception Weakens TLS Security | US-CERT #
πŸ“Œ Building a Digital Security Exchange – Medium #
πŸ“Œ zero days researxh paper from rand #