https://www.theregister.co.uk/2016/01/27/nsa_loves_it_when_you_use_pgp/, posted 30 Oct by peter in communication email privacy security
"To be honest, the spooks love PGP," Nicholas Weaver, a researcher at the International Computer Science Institute, told the Usenix Enigma conference in San Francisco on Wednesdy. "It's really chatty and it gives them a lot of metadata and communication records. PGP is the NSA's friend."
The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
The goal of this project is to create a universal database of disallowed usernames for web applications. This repository contains a list of keywords that should be banned/disallowed to prevent users from registering with, on your software projects and apps to prevent impersonation and phishing on your platform.
https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/, posted Jan '18 by peter in hardware security
Spectre and Meltdown are side-channel attacks which deduce the contents of a memory location which should not normally be accessible by using timing to observe whether another location is present in the cache.
A great article that explains the widely debated security vulnerabilities in some CPUs.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum, posted Oct '17 by peter in communication networking security
The fact that any CA can issue a certificate for any domain name is commonly cited as the weakest aspect of the PKI ecosystem. Although CAs want to do the right thing, there are no technical controls that prevent them from doing whatever they chose to do. That’s why we say that the PKI ecosystem is a weak as the weakest link. With hundreds of CAs, there are potentially many weak links.
CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. It operates via a new DNS resource record (RR) called CAA (type 257). Owners can restrict certificate issuance by specifying zero or more CAs; if a CA is allowed to issue a certificate, their own hostname will be in the DNS record. For example, this is what someone’s CAA configuration could be (in the zone file):example.org. CAA 128 issue "letsencrypt.org"
Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.
When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).
blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/, posted 2016 by peter in communication networking security
The PCI Council says you must remove completely support for SSL 3.0 and TLS 1.0. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2.
However, TLS 1.1 can be acceptable if configured properly. The Council points to a NISTpublication that tells you how to do this configuration.
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016, posted 2016 by peter in development reference security toread
The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?
Easiest Solution: Use libsodium, which provides a secure password hashing API in most languages. As of version 1.0.8 it uses the scrypt algorithm, but in the next release (1.0.9) it will also offer Argon2, the most recent, carefully-selected algorithm from the Password Hashing Competition. Libsodium offers bindings for most programming languages.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.