Archive

Archive for the ‘General’ Category

What is Windows Virtual Desktop? – The Redmond Cloud

April 6, 2020 Leave a comment

Can it be that MS has learned from all of that RDP vulnerability and come up with a novel way to enable VDI for us all?

https://www.theredmondcloud.com/windows-virtual-desktop/

Categories: General

OWASP Mobile Top 10: Comprehensive Guide To Counter Mobile App Risks

April 4, 2020 Leave a comment

Here is a great article about the specific risks that mobile apps face. Learning about the attack surface of your mobile applications can help your organization plan how to avoid breach – https://www.appsealing.com/owasp-mobile-top-10-a-comprehensive-guide-for-mobile-developers-to-counter-risks/

Categories: General

U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed

April 2, 2020 Leave a comment

If you use webaudio in a browser like Chrome, you should be interested to learn that three severe vulnerabilities are being fixed and all you have to do is upgrade your Chrome!

Whether you use WebAudio or not, if someone sends you a link to a site that has one of these vulnerabilities, you are probably already pwned.

The details are being held back but you can read more in the announcement here…

https://www.forbes.com/sites/daveywinder/2020/04/02/us-government-says-update-google-chrome-80-now-multiple-security-concerns-confirmed/

Categories: General

Incident Notification

April 1, 2020 Leave a comment

It is very sad to report another breach for the Marriot chain of hotels. Read more about it here https://mysupport.marriott.com/

Categories: General

Cloud Database Leak Exposes 425GB of Financial Data

March 20, 2020 Leave a comment

A financial startup (known as a fintech) has put almost half a terrabyte of data in a cloud based storage for use in a mobile app.

Security specialist with concerns for the inevitable future of OpenAPI for banking have been screaming about this nightmare for years. What do we do for the 100s of 1000s of people who have now lost their financial data?

Steps should be taken to encrypt this data at rest to address this very situation WHEN it happens and not allow the use of data by fintechs without these controls. Allowing banks to encrypt all data before it is shared and sharing the keys to registered companies may be the only sure way to prevent this in the future.

https://www.infosecurity-magazine.com/news/cloud-leak-exposes-425gb-financial/

Categories: General

Think Open Source Software is secure, think again?

March 13, 2020 Leave a comment

So you thought that when all the source code was available for everyone to see, you would have a better chance of finding bugs right?

It turns out that just because everyone can read it, that doesn’t mean anyone will do anything about it? I mean, this software is created by volunteers, modified by volunteers and used by anyone who wants to use it. Who said anything about making sure it was secure?

Over 10 times as many as a decade ago!
Categories: General

Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84

March 2, 2020 Leave a comment

A titan in the world of management and a hero to us all.

Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84. https://www.forbes.com/sites/lisettevoytko/2020/03/02/jack-welch-former-general-electric-ceo-and-chairman-dies-at-84/

Categories: General

NTLMv2 – no problems

February 29, 2020 Leave a comment

I really like when someone takes the time to show how fragile our networks really are.

Use a sniffer to collect your favourite ntlmv2 challenge and plug it into your monster hashcat box. Plug it in and turn it up on high until it warms the room and soon…

Out comes your one of your corporate colleagues password! (Serve warm) 🤟

https://research.801labs.org/cracking-an-ntlmv2-hash/amp/?__twitter_impression=true

Categories: General

Cert pinning bypass on okHttp

February 24, 2020 Leave a comment

One of the security controls that mobile makes strong use of is certificate pinning.

There is a library that is commonly used by a lot of application development teams called okHttp.

Mix these two together and you have a pretty good recipe for success but what if your application isn’t built to prevent an advisary from tampering with it?

Learn how to bypass this library and defeat certificate pinning in this article.

https://captmeelo.com/pentest/2020/02/24/bypass-okhttp-cert-pinning.html

Categories: General

Hackers Were Inside Citrix for Five Months — Krebs on Security

February 23, 2020 Leave a comment

https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/

To understand why guessing a password for one of your users is so easy is to understand that your organization is only as strong as its weakest link.

Even an organization that provides security solutions like Citrix can be a victim.

Learning how to educate our users on password hygiene, investing in multi factor methods of authentication and making an investment into FIDO (https://fidoalliance.org) may be the only way we will see a return on investment in cybersecurity.

Categories: General