136 private links
You may have came across this infographic being shared on various social media platforms. However, at face value and taken out of context, it can be considered misinformation — and I will explain why.
This is giving people an absolute false sense of security! It gets much more complicated than just a simple chart like this. This chart gives NO information on the contributing [critical] factors towards these calculations.
Nachdem Microsoft im Januar bestätigt hatte, von der russischen Hackergruppe Midnight Blizzard attackiert worden zu sein, legen neue Erkenntnisse des Konzerns nahe, dass sich die Angreifer noch immer an Microsofts internen Systemen bedienen.
Microsoft is using this announcement as an opportunity to upsell customers on their security products, which are apparently necessary to run their identity and collaboration products safely!
This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts. It has become clear over the past few years that Microsoft’s addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases
Wer das neue Outlook ausprobiert, riskiert die Übertragung seiner IMAP- und SMTP-Zugangsdaten zu Mailkonten sowie sämtlicher Mails an Microsoft-Server. Zwar erklärt Microsoft, der Wechsel zurück auf die bisherigen Apps sei jederzeit möglich – die Daten liegen dann aber schon beim Unternehmen.
Microsoft kann dadurch die Mails mitlesen.
Ein Verhalten, das Outlook für mobile Endgeräte schon länger praktiziert ...
In AT hatten wir dazu ja schon 2015 den Realitätsabgleich, als der "Vertrauensdiensteanbieter" A minus Trust (A-Trust.at) vergaß, sein root Zertifikat in den Browsern zeitgereiht zu erneuern und damit eGovernment in AT zum erliegen brachte,
https://futurezone.at/netzpolitik/behoerden-websites-keine-vertrauenswuerdige-verbindung/147.690.445
Thirty-five years ago today (November 2nd), the Internet Worm program was set loose to propagate on the Internet. Noting that now to the computing public (and cybersecurity professionals, specifically) often generates an "Oh, really?" response akin to stating that November 2nd is the anniversary of the inaugural broadcast of the first BBC TV channel (1936), and the launch of Sputnik 2 with Laika aboard (1957). That is, to many, it is ho-hum, ancient history.
Perhaps that is to be expected after 35 years -- approximately the length of a human generation. (As an aside, I have been teaching at Purdue for 36 years. I have already taught students whose parents had taken one of my classes as a student; in five or so years, I may see students whose grandparents took one of my classes!
LibreOffice-Anwender:innen wähnen sich hier oft auf der sicheren Seite und ändern, wie vermutlich auch viele MS Office Anwender:innen, nichts an ihrer Konfiguration. Das BSI hat aber auch für LibreOffice Richtlinien entwickelt bzw. entwickeln lassen:
- Sichere Konfiguration von LibreOffice: Empfehlungen für Unternehmen mit einer verwalteten Umgebung
- Sichere Konfiguration von LibreOffice – Empfehlungen für kleinere Unternehmen, Privatanwender und Privatanwenderinnen
Auf der Seite LibreOffice – Aber sicher! sind die Empfehlungen in Form einer LibreOffice XCD-Datei als Service zum Download verfügbar. Die enthaltenen Direktiven wirken vergleichbar zu Gruppenrichtlinien bei Microsoft Office und sichern LibreOffice entsprechend dem Leitfaden. Die Datei herunterladen und im Installationsverzeichnis von LibreOffice in den Pfad share/registry/res ablegen. Wenn man danach LibreOffice startet wird diese Vorkonfiguration automatisch angewandt. Damit lassen sich komplette LibreOffice-Deployments für viele viele Workstations sichern ohne die Anwender:innen das alles selbst machen zu lassen.
Test how well your mailserver delivers emails!
We test various security (DNSSEC, TLS, DANE, MTA-STS) and deliverability (IPv6) features your server should support when sending mail. (details)
Squires’ bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions. A massive number of websites, software, and apps rely on open-source developers to create essential tools and components — all for free. It’s the same issue that results in unpaid developers working tirelessly to fix the security issues in their open-source software, like the Heartbleed scare in 2014 that affected OpenSSL and the more recent Log4Shell vulnerability found in log4j that left volunteers scrambling to fix.
build awareness that NTLM needs to die (probably find better wording). This is our stretch goal. It won’t happen any time soon but it’s good to know where we’re heading. Make sure that any new application works without NTLM e.g., by disabling NTLM via GPO on all new servers you bring to production.
Let's Encrypt announced it had found a solution that will let those old Android phones keep ticking, and the solution is to just... keep using the expired certificate from IdenTrust? Let's Encrypt says "IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3.
Maersk is the world’s largest integrated shipping and container logistics company. I was massively privileged (no pun intended) to be their Identity & Access Management (IAM) Subject Matter Expert (SME), and later IAM Service Owner. Along with tens (if not hundreds) of others, I played a role in the recovery and cybersecurity response to the events of the well-publicised notPetya malware attack in 2017. I left Maersk in March 2019, and as is customary I wrote the obligatory thank you and goodbye note. But there was always a lot more to add. A story to tell.
The report shows that the vast majority of information security spending in the US is though the military, not through defensive organizations like the DHS, a trend that began with Clinton and has been continued by every president since, with massive acceleration under Trump.
Ironically, Trump has criticized previous admins for neglecting defense and pledged to increase it as a priority, but all he did was redefine "defense" to mean "punishing those who use cyber tools for malicious purposes" and attaining "peace through strength."
Which is why the DoD's cyber budget is 25% higher than the total infosec budget of all defensive agencies, with US Cybercommand HQ getting 33% more to cover program administration than the entire State Dept cyber budget, including operations.
The DoD's cyber ops budget is 250% of the budget for then entire Cybersecurity and Infrastructure Security Agency, and 1000% of the budget for the National Cybersecurity and Communications Integration Center.
And that's just the part of the budget we know about
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.
Liran Tal
Developer Advocate, Snyk
Liran has been advocating for Node.js and JavaScript, through core lead for the MEAN.js framework, docker container tool Dockly, and author of several npm packages.He’s a member of the Node.js Security WG, the author of Essential Node.js Security.
security.tls.version.min specifies the minimum required protocol version (thus, the lowest version allowed to fall back to when higher versions are not available).
security.tls.version.max specifies the maximum supported protocol version (thus, the highest version to initiate a connection with before falling back to lower versions).
0
SSL 3.0 is the minimum required / maximum supported encryption protocol. (Default up to FF/TB 33.0 and SM 2.30 for minimum version.)
1
TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the minimum required version.)
2
TLS 1.1 is the minimum required / maximum supported encryption protocol.
3
TLS 1.2 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
Linux Kernel Teaching
This is a collection of lectures and labs Linux kernel topics. The lectures focus on theoretical and Linux kernel exploration.
https://linux-kernel-labs.github.io/refs/heads/master/index.html
The LoRaWAN protocol, which efficiently supports low-power wireless devices over wide area networks, has become standard in the world of the industrial internet of things (IoT). One of its benefits is its support for end-to-end encryption. However, researchers are warning that while LoRaWAN itself is perfectly secure, poor device security and user mistakes in configuration and implementation can still lead to hacks and widespread operational disruption.
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
ssh-audit is a tool for ssh server auditing.
Features
SSH1 and SSH2 protocol server support;
grab banner, recognize device or software and operating system, detect compression;
gather key-exchange, host-key, encryption and message authentication code algorithms;
output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
output algorithm recommendations (append or remove based on recognized software version);
output security information (related issues, assigned CVE list, etc);
analyze SSH version compatibility based on algorithm information;
historical information from OpenSSH, Dropbear SSH and libssh;
no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;