cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

*Sorry for the late posting!!

In case you need a quick laugh, have a look at this CVE report.

For context: quote DVWA Repo:

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, [...].

The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477.

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

Hello all!

I'm wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.

From my perspective, modern computing has made MFA a requirement for pretty much everything. I'm not a fan of app-based as it is too fragile and increases possible attack surface.

When it comes to HW keys, I see a few factors:

• Physical manufacturing location/supply chain
• Source code access
• Third-party certification

The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?

The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I'm not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?

While I would rather the verifiability of open-source, it seems like Yubico's offerings might be winning out in the other categories for the price. Any thoughts?

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

I stopped at level 24, but it was super funny!

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Happy Friday c/cybersecurity! I wanted to try out a new recurring thread with a familiar theme, Follow Friday!

Use this thread to share information about yourself or others including social accounts, blogs, podcasts, YouTube channels, w/e you want to plug so people can follow!

If you like (or don’t like) this idea, sound off in the comments or send me a DM. This can be a regular weekly thread or could be monthly or quarterly. Cheers!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

MTE = Memory Tagging Extension

In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities.

Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. The ability of MTE to detect memory corruption exploitation at the first dangerous access provides a significant improvement in diagnostic and potential security effectiveness. In comparison, most other proposed approaches rely on blocking later stages in the exploitation process, for example various hardware-assisted CFI approaches which aim to block invalid control-flow transfers.

Implementation Testing

Mitigation Case Studies

The Kernel

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021. Although a 40% drop might seem like a clear-cut win for improving security, the reality is more complicated.

SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 229, 232, 239, 240, and 249 [Release Nos. 33-11216; 34-97989; File No. S7-09-22] RIN 3235-AM89

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission.

ACTION: Final rule. SUMMARY: The Securities and Exchange Commission (“Commission”) is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”). DATES: Effective date: The amendments are effective [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]