cybersecurity

cross-posted from: https://infosec.pub/post/6670956

I'm curious what tools, SaaS, or other solutions are being used for vulnerability assessments?

DOD calls it ACAS, which is just an acronym for required assessment program of record they currently fullfil with Nessus scanner and related vender solutions.

Anyone have Nessus experience that can compare to another vendor? Good, bad, etc?

cross-posted from: https://infosec.pub/post/6671372

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

Let's talk about root certificate management and the EU proposed QWACs.

Steve Gibson of the security now podcast weighed in with opposition to the EUs proposed QWACs certs and cited a few other prominent figures also expressing opposition.

Paragraphing their concerns, they proposed that mandating a bunch of new CAs introduced more risk and greater opportunity for abuse or compromise. Steve favors less CAs also being in favor pruning out most, but 6 or 7.

At the moment, I don't care for browsers having their own certificate stores, as I would rather use the OS which I would use group policy for windows or use an automation tool for Linux.

I am also in favor of pruning out certs, though I've never tested that in an enterprise.

Does your organization allow non OS certificate stores?

Does your organization prune out default root certs?

How do you feel about the proposed QWACs?

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Hey all, got a quick question!

I want to receive, parse and store syslogs from various devices on my home network on my windows box. I know, I know, its a bit backwards but I'd like to proceed with this sort of setup if possible (not against discussion, of course).

I've looked and looked for options but it seems like everything has been bare bones and basically just receives, or is locked behind premium. Surely there's some sort of solution out there, no? I'd be willing to implement something in Python if I need to but I'm considerably more hesitant when compared to using an open source soln.

Thanks for your time, looking forward to discussing/learning more!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• Sophisticated “Triangulation” attack targets iPhones (Kaspersky)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

FYI: Postfix has currently an unpatched vulnerability which allows sending of spoofed mail: https://www.postfix.org/smtp-smuggling.html

A fix is currently not available but to have peaceful holidays one should have these lines in the configuration as a workaround:

main.cf:
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_discard_ehlo_keywords = chunking

The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it's still not stopping the threat.

My questions for comment:

• Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
• Why can't we do PKI well after a few decades?
• Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can't get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• MongoDB Data Breach
• Google OAuth is broken
• Terrapin Attack exposes weakness in SSH

** Late post sorry!! ** - Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Weekly thread for highlighting and discussing the past week’s notable threats, vulnerabilities, breaches and more!

Feel free to comment on what I’ve collected or share things you have found useful or interesting!

• 5Ghoul: Unleashing Chaos on 5G Edge Devices
• Sierra:21 : Supply Chain Vulnerabilities in IoT/OT routers
• Struts 2 Critical RCE 😱
• China’s cyber army is invading critical U.S. services
• Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

I am reading a lot about this currently.

Basically:

• podman, flatpak, some Browsers use user namespaces to isolate activities from the main system
• they are widely used as a security measurement
• on Linux Flatpak uses them, as bubblewrap creates new user namespaces for each application
• Flatpakked browsers cant use user namespaces themselves, as this is not compatible with flatpak. So their security especially in Chromium is reduced.

But that is as far as I go. The hardened Linux Kernel disables user namespaces. There is bubblewrap-suid which avoids using user namespaces.

Unflatpakked browsers are more secure as they can use their builtin sandbox to do things like tab isolation. But does this even work when user namespaces are disabled, or does this also break sandboxing?

Are user namespaces secure, is not using them even worse, what are hidden implications?

I also read that firejail runs as root, so if it has a security hole the sandboxed program can get root privileges. Isnt that the same with bubblewrap-suid ?