POPULARITY
The European Vulnerability Database (EUVD) has officially launched, providing a vital platform for monitoring critical security flaws amid challenges faced by the U.S. in cybersecurity funding and management. This initiative aims to enhance transparency and deliver essential information on vulnerabilities, addressing gaps left by the U.S. Common Vulnerabilities and Exposures program, which has been hindered by budget cuts and operational delays. The EUVD not only identifies disclosed bugs but also offers real-time updates on critical vulnerabilities, ensuring users have access to the latest security risk information.As the EUVD begins operations, it highlights a strategic divergence in cybersecurity approaches between the EU and the U.S., which could have direct implications for Managed Service Providers (MSPs) and their clients. If U.S. vulnerability reporting continues to decline, there may be a shift towards EUVD as a primary source for global security tooling and threat feeds. This would necessitate a reevaluation of the sources used for threat detection and patch prioritization by providers, especially if vendor feeds start integrating EUVD data more directly.In the realm of artificial intelligence, tech executives are increasingly adopting agentic AI, with nearly half of respondents in a recent survey indicating they have begun implementing such systems. However, despite the enthusiasm, many organizations are struggling to achieve significant returns on their AI investments, with only a small percentage reporting successful scaling of AI initiatives. The disconnect between ambition and execution presents an opportunity for IT service providers to bridge the gap and help organizations effectively deploy AI solutions.Additionally, product-related news highlights the launch of new tools aimed at enhancing cybersecurity and operational efficiency for MSPs. Coro has introduced a Security Awareness Training module to combat phishing attacks, while Sophos has launched a program to help MSPs expand their cybersecurity offerings. FlexPoint and StackPak have also secured funding to enhance their platforms, focusing on automating payment processes and improving vendor management, respectively. These developments underscore the growing importance of AI-driven operational tools and the need for MSPs to deepen their involvement in their clients' business operations. Four things to know today 00:00 Europe Launches Public Vulnerability Database as U.S. Transparency Falters04:29 Despite Bold Claims on Agentic AI, Most Firms Struggle to Scale—AT&T's Open-Source Model Stands Out07:56 From Phishing Defense to AI Payments: Vendors Equip MSPs to Tackle Operational Complexity11:26 Overpatching May Be a Bigger Risk Than Underpatching, Gartner VP Warns Supported by: https://afi.ai/office-365-backup/ All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want to be a guest on Business of Tech: Daily 10-Minute IT Services Insights? Send Dave Sobel a message on PodMatch, here: https://www.podmatch.com/hostdetailpreview/businessoftech Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessof.tech
In this episode of 'Cybersecurity Today,' host Jim Love discusses various pressing topics in the realm of cybersecurity. Highlights include Anthropic's prediction on AI-powered virtual employees and their potential security risks, Microsoft's introduction of AI security agents to mitigate workforce gaps and analyst burnout, and a pivotal court ruling allowing a data privacy class action against Shopify to proceed in California. Additionally, the show covers the last-minute extension of funding for the Common Vulnerabilities and Exposures (CVE) program by the US Cybersecurity and Infrastructure Security Agency, averting a potential crisis in cybersecurity coordination. These discussions underscore the evolving challenges and solutions within the cybersecurity landscape. 00:00 Introduction and Overview 00:26 AI Employees: Opportunities and Risks 01:48 Microsoft's AI Security Agents 03:58 Shopify's Legal Battle Over Data Privacy 05:12 CVE Program's Funding Crisis Averted 07:24 Conclusion and Contact Information
Episode 222: Discord has begun rolling out age verification in some countries, the Common Vulnerabilities and Exposures program barely escaped defunding, Ubuntu 25.04 has been released with lots of exciting new features, ChatGPT can figure out your location in photos (even without EXIF data), and more!Welcome to the Surveillance Report - featuring Techlore & The New Oil to keep you updated on the newest security & privacy news.
A federally funded cyber security program used by organizations throughout theworld nearly shut down. Last week, the Cybersecurity and Infrastructure Security Agency finally inked a last minute contract extension to keep the Common Vulnerabilities and Exposures program up and running. Well now the cyber security community itself is debating whether reforms are needed to that CVE system. Federal News Network's Justin Doubleday joins me with what's going on here. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
A federally funded cyber security program used by organizations throughout the world nearly shut down. Last week, the Cybersecurity and Infrastructure Security Agency finally inked a last minute contract extension to keep the Common Vulnerabilities and Exposures program up and running. Well now the cyber security community itself is debating whether reforms are needed to that CVE system. Federal News Network's Justin Doubleday joins me with what's going on here. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Het kwam vorige week als donderslag bij heldere hemel. Een dag voor het verstrijken van de deadline van 16 april werd duidelijk dat er nog geen nieuwe fondsen beschikbaar gesteld waren door de Amerikaanse overheid voor de CVE-database van de MITRE Corporation. Te elfder ure kwam het toch nog goed. Voor nu althans, want wie weet hoe het over elf maanden gaat, als de nieuwe termijn afloopt. Hoe moeten we deze gang van zaken interpreteren? En wat kunnen we doen om een herhaling van de toch wel paniekerige reacties vorige week te voorkomen? We bespreken het in de nieuwste aflevering van Techzine Talks.De CVE-database is best belangrijk voor de security-industrie. CVE staat voor Common Vulnerabilities and Exposures en is feitelijk de standaard voor het melden en rangschikken van kwetsbaarheden in software en hardware. Deze krijgen ook altijd een score volgens het CVSS, oftewel het Common Vulnerability Scoring System. Op basis daarvan kunnen betrokken partijen dan weer actie ondernemen om het oplossen van bepaalde kwetsbaarheden prioriteit te geven. Het verdwijnen, of in ieder geval het niet meer onderhouden van de CVE-database is in de basis verre van wenselijk. Niet dat we zonder die database volledig aan de goden overgeleverd zijn, maar het zou dan wel ontbreken aan een centrale plaats waar iedereen terecht kan voor informatie over daadwerkelijk vastgestelde en geverifieerde kwetsbaarheden. Dat is niet handig en kan best voor wat vervelende situaties zorgen, zeker als de huidige database steeds minder courant en daarmee relevant wordt.In deze aflevering van Techzine Talks gaan we dieper in op de gebeurtenissen van vorige week. We duiden het belang van de CVE-database en plaatsen het in een breder kader. Daarnaast gaan we ook in op de vraag of de huidige plek wel de beste is voor deze database. Moeten we niet naar een alternatieve locatie kijken voor het hosten? Is dat haalbaar? Zo ja, waar zou het passen?Luister snel naar Techzine Talks, met beeld op YouTube, zonder beeld hieronder en via je favoriete podcastapp.
In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently. Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII Chapters 00:00 Introduction to CVE and CVSS 01:13 History of Vulnerability Tracking 03:07 The CVE System Explained 06:47 Understanding CVSS Scoring 13:11 Recent Funding Crisis and Its Impact 15:53 Future of the CVE Program 18:27 Conclusion and Final Thoughts
The U.S. government has renewed funding for the Common Vulnerabilities and Exposures (CVE) Program, a critical database for tracking cybersecurity flaws, just hours before its funding was set to expire. Established 25 years ago, the CVE program assigns unique identifiers to security vulnerabilities, facilitating consistent communication across the cybersecurity landscape. The renewal of funding comes amid concerns that without it, new vulnerabilities could go untracked, posing risks to national security and critical infrastructure. In response to the funding uncertainty, two initiatives emerged: the CVE Foundation, a nonprofit aimed at ensuring the program's independence, and the Global CVE Allocation System, a decentralized platform introduced by the European Union.In addition to the CVE funding situation, Oregon Senator Ron Wyden has blocked the nomination of Sean Planky to lead the Cybersecurity and Infrastructure Security Agency (CISA) due to the agency's refusal to release a crucial unclassified report from 2022. This report details security issues within U.S. telecommunications companies, which Wyden claims represent a multi-year cover-up of negligent cybersecurity practices. The senator argues that the public deserves access to this information, especially in light of recent cyber threats, including the SALT typhoon hack that compromised sensitive communications.The cybersecurity landscape is further complicated by significant layoffs at CISA, which could affect nearly 40% of its workforce, potentially weakening U.S. national security amid rising cyber threats. Recent cuts have already impacted critical personnel, including threat hunters, which could hinder the agency's ability to share vital threat intelligence with the private sector. Meanwhile, the Defense Digital Service at the Pentagon is facing a mass resignation of nearly all its staff, following pressure from the Department of Government Efficiency, which could effectively shut down the program designed to accelerate technology adoption during national security crises.On the technology front, OpenAI has released new AI reasoning models, O3 and O4 Mini, but notably did not provide a safety report for the new GPT-4.1 model, raising concerns about transparency and accountability in AI development. The lack of a safety report is particularly alarming as AI systems become more integrated into client-facing tools. Additionally, SolarWinds Corporation has been acquired by Ternerva Capital, prompting managed service providers (MSPs) to reassess their dependencies on SolarWinds products and consider the implications for product roadmaps and support guarantees. Four things to know today 00:00 From Panic to Pivot: U.S. Saves CVE Program at the Eleventh Hour04:17 A Cybersecurity Meltdown: One Senator Blocks, Another Leader Quits, and a Whole Pentagon Team Walks Out08:54 OpenAI Just Leveled Up AI Reasoning—But Left Out the Fine Print11:45 SolarWinds Is Private Again: What That Means for MSPs Watching the Roadmap Supported by: https://www.huntress.com/mspradio/ https://cometbackup.com/?utm_source=mspradio&utm_medium=podcast&utm_campaign=sponsorship Join Dave April 22nd to learn about Marketing in the AI Era. Signup here: https://hubs.la/Q03dwWqg0 All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want to be a guest on Business of Tech: Daily 10-Minute IT Services Insights? Send Dave Sobel a message on PodMatch, here: https://www.podmatch.com/hostdetailpreview/businessoftech Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessof.tech
2025. április 17., csütörtök 8-9 óra TRUMPOCRACY: a költségcsökkentés láncfűrésze elérte a világ egyik legfontosabb adatbázisát… Megakadhat az egyik, ha nem a legfontosabb kiberbiztonsági adatbázis működése. Az ún. Gyakori sebezhetőségek és kockázatok (Common Vulnerabilities and Exposures) vagyis CVE-programban a rendszergazdák, fejlesztők és kiberbiztonsági szakemberek folyamatosan megosztják a felmerülő problémákat szoftverekkel és hardverekkel, hogy azokat minél előbb befoltozzák. A MITRE nevű nonprofit kutató- és fejlesztőintézet, ami a CVE-t működteti, április 15-én jelezte, hogy másnaptól megszűnik a szerződése az amerikai kormánnyal (egész pontosan a belbiztonsági minisztériummal), ami ahhoz vezethet, hogy nem tudják frissíteni a kulcsfontosságú adatbázist. Emiatt szoftverek és rendszerek sebezhetőbbé válhatnak, ami világszerte komoly kockázatot jelent. „Ha a szolgáltatás megszakadna, több hatása is lenne a CVE-re, többek között a nemzeti sebezhetőségi adatbázisok és tájékoztatók, az eszközgyártók, az incidensekre reagáló műveletek és mindenféle kritikus infrastruktúra romlása” – írta a CVE igazgatótanácsának szóló levelében Yosry Barsoum, a MITRE alelnöke. Veszélyben a kiberbiztonság szókincse: leállhat a CVE-adatbázis az amerikai finanszírozás megszűnése miatt | Linux Mint Magyar Közösség Telex: Szerdán leállhat az egyik legfontosabb globális kiberbiztonsági adatbázis Kovács 4 Zoltán kiberbiztonsági szakértő ARANYKÖPÉS “Utálom az időt. Soha nem csinálja azt, amit szeretnél.” 1957-ben ezen a napon született Nick Hornby angol író, publicista Művei: Pop, csajok satöbbi (High Fidelity), az Egy fiúról (About a Boy) és a Fociláz (Fever Pitch). “Vásároljátok meg azt, amire nincs szükségetek, és rövid idő múlva kénytelenek lesztek eladni azt, amire szükségetek van.” 1790-ben ezen a napon hunyt el Benjamin Franklin amerikai író, tudós, államférfi (* 1706) FUTÓMŰ Március végén történt, hogy betonkorlátnak ütközött a Xiaomi SU7 típusú elektromos önvezető autója, és hárman szörnyethaltak. Az erre adott tőzsdei reakciók, és a társadalmi vita Kínában arról, hogy hogyan kezeljék ezt a technológiát. Az ügy hatása most kezd kibontakozni, szabályozói, társadalmi párbeszéd szinten - lehet, hogy az eddigi, megengedő hozzáállást jelentősen szigorítják emiatt. Új Stellantis vezető spekuláció Betonkorlátnak ütközött egy önvezető autó, hárman szörnyethaltak 14 milliárdot kap a bukott cégvezető Várkonyi Gábor, autópiaci szakértő
In this episode, Geoff and Skyler talk with TrustedSec Security Consultants Whitney Phillips and Justin Bollinger about their recent presentations and experiences at CactusCon in Mesa, Arizona. Justin delves deep into the complexities surrounding the Common Vulnerabilities and Exposures (CVE) identification process and bug bounty programs, highlighting key challenges security researchers face. Whitney shares her expertise on crafting and delivering impactful conference presentations, offering valuable insights into preparation, audience engagement techniques, and managing presentation anxiety. Both consultants provide their unique perspectives on the conference highlights, including notable keynotes, networking opportunities, and emerging security trends discussed at this prominent Southwest cybersecurity event. About this podcast: Security Noise, a TrustedSec Podcast hosted by Geoff Walton and Producer/Contributor Skyler Tuter, features our cybersecurity experts in conversation about the infosec topics that interest them the most. Hack the planet! Find more cybersecurity resources on our website at https://trustedsec.com/resources.
A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world.
A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world. Learn more about your ad choices. Visit megaphone.fm/adchoices
In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. CVE2CAPEC is a tool developed by Galeax that automates the process of mapping Common Vulnerabilities and Exposures (CVEs) to Common Weakness Enumerations (CWEs), Common Attack Pattern Enumeration and Classification (CAPEC), and MITRE ATT&CK Techniques.This tool helps security researchers identify vulnerabilities within macOS's sandbox restrictions, particularly targeting XPC services in the PID domain marked as "Application" services, which often lack adequate protection.Zscaler's recent blog discusses how North Korean IT professionals are increasingly finding remote work in Western companies, often under disguised identities.In a recent campaign, GootLoader malware has been targeting Bengal cat enthusiasts in Australia using SEO poisoning tactics.After a multi-month absence, the malware loader FakeBat—also known as Eugenloader or PaykLoader—has resurfaced, distributing malware through Google Ads, with a recent campaign exploiting ads for the popular app Notion.Over the past five years, Sophos has been engaged in a complex battle against Chinese state-sponsored cyber adversaries targeting its firewall products. This prolonged engagement, detailed in Sophos' "Pacific Rim" report, reveals a series of sophisticated attacks aimed at exploiting vulnerabilities in internet-facing devices, particularly those within critical infrastructure sectors across South and Southeast Asia.
Forecast = Expect severe disruptions in transit security, with a chance of clearer skies as the White House pushes for smoother collaboration with cybersecurity researchers. Transport for London's Cybersecurity Crisis Transport for London (TfL) has found itself in a cybersecurity “trainwreck,” facing a range of vulnerabilities and management issues that have exposed its infrastructure to significant risk. An investigation reveals a series of failures, from outdated systems to neglected security protocols, painting a chaotic picture of public infrastructure's readiness against cyber threats. With passengers' data and critical operations potentially at stake, this story highlights the growing urgency for improved cybersecurity measures in public sector systems. White House Endorsement of Cybersecurity Researcher Collaboration In a significant policy shift, the White House has endorsed a more collaborative approach with cybersecurity researchers, aiming to bolster national defenses against growing cyber threats. This endorsement includes support for responsible disclosure practices and partnerships that could help expedite vulnerability identification and mitigation across industries. By actively promoting collaboration, the administration signals a move toward a more unified and proactive stance on national cybersecurity, recognizing the essential role of researchers in safeguarding critical infrastructure and public safety. CVE's 25th Anniversary Report Celebrating 25 years, the Common Vulnerabilities and Exposures (CVE) program reflects on its progress in tracking and cataloging cybersecurity threats, becoming a cornerstone in the fight against vulnerabilities. The anniversary report not only emphasizes milestones in vulnerability identification and mitigation but also considers how the program must evolve to meet emerging challenges as cyber threats grow more sophisticated. With an eye on improving its database and keeping pace with the expanding threat landscape, CVE aims to continue being an essential resource for the cybersecurity community. CVE-2024-47575 Vulnerability as Flagged by Censys Censys has flagged CVE-2024-47575 as a serious vulnerability affecting systems reliant on outdated cryptographic protocols, specifically impacting certain SSL/TLS implementations. This vulnerability poses a risk to data integrity and confidentiality, enabling potential attackers to intercept or alter sensitive information in transit. The case of CVE-2024-47575 underscores the need for organizations to update and secure their cryptographic practices to avoid exposure to similar vulnerabilities. Storm Watch Homepage >> Learn more about GreyNoise >>
The National Institute of Standards and Technology (NIST) facces ongoing challenges regarding its backlog of security vulnerability reports. Despite some progress, NIST missed its September 30th deadline to restore processing speeds to pre-February levels, leaving over 17,000 Common Vulnerabilities and Exposures (CVEs) unprocessed. This backlog poses significant risks to organizations, as they may remain unaware of vulnerabilities that are actively being exploited. The episode highlights the importance of effective risk management in cybersecurity and encourages organizations to pressure vendors to participate in disclosure programs.The episode also delves into the rising concerns surrounding cloud security threats, which have become the top worry for executives, according to a recent PwC report. The report identifies hack and leak operations, third-party breaches, and ransomware as leading threats, with organizations feeling least prepared to address cloud attacks. Additionally, Microsoft has informed customers about a software bug that affected log data collection for key security products, emphasizing the need for robust security measures and incident response planning.Host Dave Sobel shifts focus to the impact of Broadcom's acquisition of VMware, which has led many users to explore alternatives like OpenStack. The latest version of OpenStack, codenamed Dalmatian, is experiencing a resurgence as former VMware users migrate to its platform, benefiting from improved tools and a stable ecosystem. Meanwhile, Microsoft has announced a 10% price increase for its System Center management tool set for 2025, raising questions about potential challenges for the product in the competitive landscape.Finally, the episode addresses the stagnation in IT leadership diversity, revealing concerning statistics from a recent survey. The data shows that 89.6% of IT leaders are white and 79% are male, with minimal changes from previous quarters. The Society for Human Resource Management's recent decision to remove equity from its diversity, equity, and inclusion strategy has sparked controversy, as critics argue it undermines commitments to fostering a diverse workplace. Sobel emphasizes the importance of gender diversity in IT, citing research that indicates diverse teams outperform homogeneous ones, ultimately enhancing business efficiency and customer satisfaction.Four things to know today00:00 NIST Faces Vulnerability Report Backlog as Cloud Threats Dominate Cybersecurity Concerns04:02 VMware Users Flock to OpenStack Amid Acquisition Uncertainty, While Microsoft Ups System Center Pricing for 2025 05:36 Apple Addresses macOS Sequoia Cybersecurity Bugs Ahead of Major AI Launch with iOS 18.106:38 IT Leadership Diversity Stagnates as DEI Efforts Face Scrutiny Supported by: https://www.huntress.com/mspradio/https://www.coreview.com/msp Event: www.smbTechFest.com/Go/Sobel All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessoftech.bsky.social
All Things Internal Audit: Elevating Data Security In this episode, Terry Ray, a top expert in data security, talks with David Pretrisky, director of Professional Standards at The IIA, about why asking the right questions is key to boosting data security and compliance in organizations. They'll dive into how internal auditors can strengthen their organization's security, the hurdles they encounter, and practical strategies for success. Guests: Terry Ray, senior vice president, data security GTM, field CTO, and fellow at Imperva Host: David Petrisky, director, Professional Standards, The IIA Key Points: Introduction to Data Security and Compliance (00:00:02 - 00:00:22) Breaking Down Data Defense (00:00:31 - 00:02:45) Prioritizing Security Controls (00:02:52 - 00:04:24) Key Frameworks for Security (00:04:58 - 00:06:22) Common Vulnerabilities and Breaches (00:06:22 - 00:08:25) Advice for Internal Auditors (00:08:25 - 00:11:10) Compliance and Regulatory Frameworks (00:11:15 - 00:14:05) Internal Auditors' Role in Security (00:14:05 - 00:17:11) Final Advice for Internal Auditors (00:17:11 - 00:17:32) The IIA Related Content: Interested in this topic? Find more articles and resources to support internal auditors in protecting data here. Elevate your internal auditing skills and enroll in The IIA's 2024 Cybersecurity Virtual Conference. Visit The IIA's website or YouTube channel for related topics and more. Resources Mentioned: NIST Cybersecurity Framework General Data Protection Regulation PCI Data Security Standard Follow All Things Internal Audit: Apple PodcastsSpotify LibsynDeezer
Have you ever considered how IT professionals uncover vulnerabilities and assess their severity within networks or software systems? Imagine your home security system. You'd want to know if there's a window that won't lock properly or a door that's easy to break into. Vulnerability scoring systems and databases are like home inspectors in the digital world. They check for digital “unlocked windows” in software and then rank them on how easy it would be for a cyber attacker to get in. This helps computer professionals fix these vulnerabilities before any digital attacker exploits the system. Following are some of the vulnerability scoring systems and databases: Common Vulnerabilities and Exposures (CVE): It's like a bulletin board in the community center listing all the known local issues. CVE lists all the known security problems in software that everyone should know. National Vulnerability Database (NVD): This is like a detailed town hall file with records of all the issues listed on the community bulletin board, their severity, and what can be done about them. Common Weakness Enumeration (CWE): Imagine a library archive that records all the common problems that buildings might have, like weak locks or shoddy windows, so that they can be fixed or avoided in the future. View More: What are Vulnerability Scoring Systems and Databases?
In the season's final episode, hosts Lois Houston and Nikita Abraham interview senior OCI instructor Mahendra Mehra about the security practices that are vital for OKE clusters on OCI. Mahendra shares his expert insights on the importance of Kubernetes security, especially in today's digital landscape where the integrity of data and applications is paramount. OCI Container Engine for Kubernetes Specialist: https://mylearn.oracle.com/ou/course/oci-container-engine-for-kubernetes-specialist/134971/210836 Oracle University Learning Community: https://education.oracle.com/ou-community LinkedIn: https://www.linkedin.com/showcase/oracle-university/ X (formerly Twitter): https://twitter.com/Oracle_Edu Special thanks to Arijit Ghosh, David Wright, Radhika Banka, and the OU Studio Team for helping us create this episode. --------------------------------------------------------- Episode Transcript: 00:00 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we'll bring you foundational training on the most popular Oracle technologies. Let's get started! 00:26 Nikita: Welcome to the Oracle University Podcast! I'm Nikita Abraham, Principal Technical Editor with Oracle University, and with me is Lois Houston, Director of Innovation Programs. Lois: Hi there! In our last episode, we spoke about self-managed nodes and how you can manage Kubernetes deployments. Nikita: Today is the final episode of this series on OCI Container Engine for Kubernetes. We're going to look at the security side of things and discuss how you can implement vital security practices for your OKE clusters on OCI, and safeguard your infrastructure and data. 00:59 Lois: That's right, Niki! We can't overstate the importance of Kubernetes security, especially in today's digital landscape, where the integrity of your data and applications is paramount. With us today is senior OCI instructor, Mahendra Mehra, who will take us through Kubernetes security and compliance practices. Hi Mahendra! It's great to have you here. I want to jump right in and ask you, how can users add a service account authentication token to a kubeconfig file? Mahendra: When you set up the kubeconfig file for a cluster, by default, it contains an Oracle Cloud Infrastructure CLI command to generate a short-lived, cluster-scoped, user-specific authentication token. The authentication token generated by the CLI command is appropriate to authenticate individual users accessing the cluster using kubectl and the Kubernetes Dashboard. However, the generated authentication token is not appropriate to authenticate processes and tools accessing the cluster, such as continuous integration and continuous delivery tools. To ensure access to the cluster, such tools require long-lived non-user-specific authentication tokens. One solution is to use a Kubernetes service account. Having created a service account, you bind it to a cluster role binding that has cluster administration permissions. You can create an authentication token for this service account, which is stored as a Kubernetes secret. You can then add the service account as a user definition in the kubeconfig file itself. Other tools can then use this service account authentication token when accessing the cluster. 02:47 Nikita: So, as I understand it, adding a service account authentication token to a kubeconfig file enhances security and enables automated tools to interact seamlessly with your Kubernetes cluster. So, let's talk about the permissions users need to access clusters they have created using Container Engine for Kubernetes. Mahendra: For most operations on Container Engine for Kubernetes clusters, IAM leverages the concept of groups. A user's permissions are determined by the IAM groups they belong to, including dynamic groups. The access rights for these groups are defined by policies. IAM provides granular control over various cluster operations, such as the ability to create or delete clusters, add, remove, or modify node pool, and dictate the Kubernetes object create, delete, view operations a user can perform. All these controls are specified at the group and policy levels. In addition to IAM, the Kubernetes role-based access control authorizer can enforce additional fine-grained access control for users on specific clusters via Kubernetes RBAC roles and ClusterRoles. 04:03 Nikita: What are Kubernetes RBAC roles and ClusterRoles, Mahendra? Mahendra: Roles here defines permissions for resources within a specific namespace and ClusterRole is a global object that will provide access to global objects as well as non-resource URLs, such as API version and health endpoints on the API server. Kubernetes RBAC also includes RoleBindings and ClusterRoleBindings. RoleBinding grants permission to subjects, which can be a user, service, or group interacting with the Kubernetes API. It specified an allowed operation for a given subject in the cluster. RoleBinding is always created in a specific namespace. When associated with a role, it provides users permission specified within that role related to the objects within that namespace. When associated with a ClusterRole, it provides access to namespaced objects only defined within that cluster rule and related to the roles namespace. ClusterRoleBinding, on the other hand, is a global object. It associates cluster roles with users, groups, and service accounts. But it cannot be associated with a namespaced role. ClusterRoleBinding is used to provide access to global objects, non-namespaced objects, or to namespaced objects in all namespaces. 05:36 Lois: Mahendra, what's IAM's role in this? How do IAM and Kubernetes RBAC work together? Mahendra: IAM provides broader permissions, while Kubernetes RBAC offers fine-grained control. Users authorized either by IAM or Kubernetes RBAC can perform Kubernetes operations. When a user attempts to perform any operation on a cluster, except for create role and create cluster role operations, IAM first determines whether a group or dynamic group to which the user belongs has the appropriate and sufficient permissions. If so, the operation succeeds. If the attempted operation also requires additional permissions granted via a Kubernetes RBAC role or cluster role, the Kubernetes RBAC authorizer then determines whether the user or group has been granted the appropriate Kubernetes role or Kubernetes ClusterRoles. 06:41 Lois: OK. What kind of permissions do users need to define custom Kubernetes RBAC rules and ClusterRoles? Mahendra: It's common to define custom Kubernetes RBAC rules and ClusterRoles for precise control. To create these, a user must have existing roles or ClusterRoles with equal or higher privileges. By default, users don't have any RBAC roles assigned. But there are default roles like cluster admin or super user privileges. 07:12 Nikita: I want to ask you about securing and handling sensitive information within Kubernetes clusters, and ensuring a robust security posture. What can you tell us about this? Mahendra: When creating Kubernetes clusters using OCI Container Engine for Kubernetes, there are two fundamental approaches to store application secrets. We can opt for storing and managing secrets in an external secrets store accessed seamlessly through the Kubernetes Secrets Store CSI driver. Alternatively, we have the option of storing Kubernetes secret objects directly in etcd. 07:53 Lois: OK, let's tackle them one by one. What can you tell us about the first method, storing secrets in an external secret store? Mahendra: This integration allows Kubernetes clusters to mount multiple secrets, keys, and certificates into pods as volumes. The Kubernetes Secrets Store CSI driver facilitates seamless integration between our Kubernetes clusters and external secret stores. With the Secrets Store CSI driver, our Kubernetes clusters can mount and manage multiple secrets, keys, and certificates from external sources. These are accessible as volumes, making it easy to incorporate them into our application containers. OCI Vault is a notable external secrets store. And Oracle provides the Oracle Secrets Store CSI driver provider to enable Kubernetes clusters to seamlessly access secrets stored in Vault. 08:54 Nikita: And what about the second method? How can we store secrets as Kubernetes secret objects in etcd? Mahendra: In this approach, we store and manage our application secrets using Kubernetes secret objects. These objects are directly managed within etcd, the distributed key value store used for Kubernetes cluster coordination and state management. In OKE, etcd reads and writes data to and from block storage volumes in OCI block volume service. By default, OCI ensures security of our secrets and etcd data by encrypting it at rest. Oracle handles this encryption automatically, providing a secure environment for our secrets. Oracle takes responsibility for managing the master encryption key for data at rest, including etcd and Kubernetes secrets. This ensures the integrity and security of our stored secrets. If needed, there are options for users to manage the master encryption key themselves. 10:06 Lois: OK. We understand that managing secrets is a critical aspect of maintaining a secure Kubernetes environment, and one that users should not take lightly. Can we talk about OKE Container Image Security? What essential characteristics should container images possess to fortify the security posture of a user's applications? Mahendra: In the dynamic landscape of containerized applications, ensuring the security of containerized images is paramount. It is not uncommon for the operating system packages included in images to have vulnerabilities. Managing these vulnerabilities enables you to strengthen the security posture of your system and respond quickly when new vulnerabilities are discovered. You can set up Oracle Cloud Infrastructure Registry, also known as Container Registry, to scan images in a repository for security vulnerabilities published in the publicly available Common Vulnerabilities and Exposures Database. 11:10 Lois: And how is this done? Is it automatic? Mahendra: To perform image scanning, Container Registry makes use of the Oracle Cloud Infrastructure Vulnerability Scanning Service and Vulnerability Scanning REST API. When new vulnerabilities are added to the CVE database, the container registry initiates automatic rescanning of images in repositories that have scanning enabled. 11:41 Do you want to stay ahead of the curve in the ever-evolving AI landscape? Look no further than our brand-new OCI Generative AI Professional course and certification. For a limited time only, we're offering both the course and certification for free! So, don't miss out on this exclusive opportunity to get certified on Generative AI at no cost. Act fast because this offer is valid only until July 31, 2024. Visit https://education.oracle.com/genai to get started. That's https://education.oracle.com/genai. 12:20 Nikita: Welcome back! Mahendra, what are the benefits of image scanning? Mahendra: You can gain valuable insights into each image scan conducted over the past 13 months. This includes an overview of the number of vulnerabilities detected and an overall risk assessment for each scan. Additionally, you can delve into comprehensive details of each scan featuring descriptions of individual vulnerabilities, their associated risk levels, and direct links to the CVE database for more comprehensive information. This historical and detailed data empowers you to monitor, compare, and enhance image security over time. You can also disable image scanning on a particular repository by removing the image scanner. 13:11 Nikita: Another characteristic that container images should have is unaltered integrity, right? Mahendra: For compliance and security reasons, system administrators often want to deploy software into a production system. Only when they are satisfied that the software has not been modified since it was published compromising its integrity. Ensuring the unaltered integrity of software is paramount for compliance and security in production environment. 13:41 Lois: Mahendra, what are the mechanisms that guarantee this integrity within the context of Oracle Cloud Infrastructure? Mahendra: Image signatures play a pivotal role in not only verifying the source of an image but also ensuring its integrity. Oracle's Container Registry facilitates this process by allowing users or systems to push images and sign them using a master encryption key sourced from the OCI Vault. It's worth noting that an image can have multiple signatures, each associated with a distinct master encryption key. These signatures are uniquely tied to an image OCID, providing granularity to the verification process. Furthermore, the process of image signing mandates the use of an RSA asymmetric key from the OCI Vault, ensuring a robust and secure validation of the image's unaltered integrity. 14:45 Nikita: In the context of container images, how can users ensure the use of trusted sources within OCI? Mahendra: System administrators need the assurance that the software being deployed in a production system originates from a source they trust. Signed images play a pivotal role, providing a means to verify both the source and the integrity of the image. To further strengthen this, administrators can create image verification policies for clusters, specifying which master encryption keys must have been used to sign images. This enhances security by configuring container engine for Kubernetes clusters to allow the deployment of images signed with specific encryption keys from Oracle Cloud Infrastructure Registry. Users or systems retrieving signed images from OCIR can trust the source and be confident in the image's integrity. 15:46 Lois: Why is it imperative for users to use signed images from Oracle Cloud Infrastructure Registry when deploying applications to a Container Engine for Kubernetes cluster? Mahendra: This practice is crucial for ensuring the integrity and authenticity of the deployed images. To achieve this enforcement. It's important to note that an image in OCIR can have multiple signatures, each linked to a different master encryption key. This multikey association adds layers of security to the verification process. A cluster's image verification policy comes into play, allowing administrators to specify up to five master encryption keys. This policy serves as a guideline for the cluster, dictating which keys are deemed valid for image signatures. If a cluster's image verification policy doesn't explicitly specify encryption keys, any signed image can be pulled regardless of the key used. Any unsigned image can also be pulled potentially compromising the security measures. 16:56 Lois: Mahendra, can you break down the essential permissions required to bolster security measures within a user's OKE clusters? Mahendra: To enable clusters to include master encryption key in image verification policies, you must give clusters permission to use keys from OCI Vault. For example, to grant this permission to a particular cluster in the tenancy, we must use the policy—allow any user to use keys in tenancy where request.user.id is set to the cluster's OCID. Additionally, for clusters to seamlessly pull signed images from Oracle Cloud Infrastructure Registry, it's vital to provide permissions for accessing repositories in OCIR. 17:43 Lois: I know this may sound like a lot, but OKE container image security is vital for safeguarding your containerized applications. Thank you so much, Mahendra, for being with us through the season and taking us through all of these important concepts. Nikita: To learn more about the topics covered today, visit mylearn.oracle.com and search for the OCI Container Engine for Kubernetes Specialist course. Join us next week for another episode of the Oracle University Podcast. Until then, this is Nikita Abraham… Lois Houston: And Lois Houston, signing off! 18:16 That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.
In Folge 5 von Passwort geht es um eindeutige Kennzeichnungen von "Common Vulnerabilities and Exposures", also die bekannten CVE-Nummern, mit denen Sicherheitslücken identifiziert werden. Die Hosts Christopher und Sylvester besprechen, welchen Zweck CVEs haben, wie und von wem die Nummern vergeben werden und wo es hapert. Allzu rosig sieht die Zukunft von CVE-Nummern nämlich nicht aus. Es gibt diverse Probleme und Kritiker, unter anderem die Entwickler des Linux-Kernels. Die halten wenig von speziellen Kennzeichnungen für Security-Bugs und vermitteln ihre Sicht der Dinge mit dem Holzhammer. CVE-Datenbanken: * CVE-Suche von Mitre: https://www.cve.org * CVE-Suche der NVD: https://nvd.nist.gov/vuln/search Beispiele für Problem-CVEs * Curl: https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/ & https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/ * PostgreSQL: https://www.postgresql.org/about/news/cve-2020-21469-is-not-a-security-vulnerability-2701/ * KeePassXC: https://keepassxc.org/blog/2023-06-20-cve-202335866/ * Azure: https://heise.de/-9755370 CVE-Regeln * Regelwerk für CNAs: https://www.cve.org/ResourcesSupport/AllResources/CNARules * Vorgehen der Kernel-CNA: https://docs.kernel.org/process/cve.html * Talk von Greg KH zu CVEs: https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
Beschreibung: Neu! Summary durch AI generiert: In dieser Episode diskutieren wir verschiedene Themen. Wir sprechen über die Web-Integrität von Google und die Möglichkeit, dass ähnliche Mechanismen auch auf andere Webseiten angewendet werden könnten. Wir diskutieren die Sicherheitsstrategie der US-Regierung nach dem Angriff auf die Azure Cloud und die Vor- und Nachteile der Nutzung von Cloud-Services. Des Weiteren sprechen wir über Common Vulnerabilities and Exposures (CVEs) und die Probleme bei der Sicherheitsbewertung von Schwachstellen. Wir diskutieren den YouTuber Leeroy und den Angriff auf den Jabber.ru-Server. Anschließend tauschen wir unsere Gedanken über Hacking-Operationen von Geheimdiensten aus und diskutieren moderne Side-Channel-Angriffe auf CPUs und Hardware. In einer weiteren Diskussion geht es um ein kontroverses Video, das von verschiedenen Plattformen gelöscht wurde, und um einen Vorfall bei Okta, einem Unternehmen für Identitätsmanagement. Zum Abschluss diskutieren wir einen Vorfall mit Voltage-Fault-Injection auf AMD-Prozessoren in Tesla-Fahrzeugen. Viel Spaß beim Zuhören! Shownotes: Spiegel Online uses a 2000 years old cipher for their pay wall - Robert Penz Blog Hackers Stole Access Tokens from Oktas Support Unit; Krebs on Security Cloudflare mitigated yet another Okta compromise - Hacker News Okta incident and 1Password - 1Password Nitter Reflections on Trusting Trust Microsoft finally explains cause of Azure breach - Ars Technica iLeakage Dan Goodin: Google has removed a video posted by academic researchers - Infosec Exchange Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging service Black Hat USA 2023: Jailbreaking an Tesla in 2023 Web Environment Integrity Explainer Enabling ACME CAA Account and Method Binding RFC 8657 Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding
Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show Notes Today, we are switching things up and doing something new for this episode of Sustain, where we'll be talking about current events, specifically security challenges. Richard welcomes guest, Daniel Stenberg, founder, and lead developer of the cURL project. Richard and Daniel dive into the complexities of Common Vulnerabilities and Exposures (CVEs), discussing issues with how they are reported, scored, and the potential impact on open source maintainers. They also explore the difficulty of fixing the CVE system, propose short-term solutions, and address concerns about CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of Chainguard, also joins us and offers insights into the National Vulnerability Database (NVD) and suggests ways to improve CVE quality. NDS's response is examined, and Daniel shares his frustrations and uncertainties regarding the CVE system's future. Hit download now to hear more! [00:01:00] Richard explains that they will discuss Common Vulnerabilities and Exposures (CVEs) and mentions that CVEs were launched in September 1999, briefly highlighting their purpose. He mentions receiving an email about a CVE related to the cURL project, which wasn't acknowledged by the cURL team. [00:01:50] Daniel explains that the email about the CVE was sent to the cURL library mailing list by a contributor who noticed the issue. He describes the confusion about the old bug being registered as a new CVE. discusses the process of requesting a CVE. He also mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:03:54] Daniel discusses the process of requesting a CVE which involves organizations like MITRE, and he mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:06:21] Richard asks about how NVD assigns severity scores to CVEs and specifically in the case of CVE 2020, and Daniel describes the actual bug in curl, which was a minor issue involving retry delays and not a severe security threat. [00:09:57] Richard questions who at NVD determines these scores and whether they are policy makers or coders, to which Daniel admits he has no idea and discusses his efforts to address the issue. He expresses frustration with NVD's scoring system and their lack of communication. [00:11:18] Daniel and Richard discuss their concerns about the accuracy and relevance of CVE ratings, especially in cases where those assigning scores may not fully understand the technical details of vulnerabilities. [00:14:37] We now welcome Dan Lorenc to get his point of view on this issue. Dan introduces himself and talks about his experience with the NVD, highlighting some of the issues with CVE scoring and the varying quality of CVE reports. [00:16:11] Dan mentions the problems with the CVSS scoring and the incentives for individuals to report vulnerabilities with higher scores for personal gain, leading to score inflation. Dan suggests that NVD could improve the quality of CVEs by applying more scrutiny to high-severity and widely used libraries like cURL, which could reduce the noise and waste of resources in the industry. [00:18:23] Richard presents NVD's response to their inquiry. Then, Daniel and Richard discuss NVD's response and the discrepancy between their assessment and that of open source maintainers like Daniel who believe that some CVEs are not valid security issues. [00:20:44] Richard asks if anyone offered to fund the work to fix vulnerabilities in important open source projects like cURL when a CVE is reported. Daniel replies that no such offers have been made, as most involved in the project recognize that some CVEs are not actual security problems, but rather meta problems caused by the CVE rating system. [00:21:40] Daniel explains his short-term solution of registering his own CNA (CVE Numbering Authority) to manage CVEs for his products and prevent anonymous users from filing CVEs. [00:23:04] Richard raises concerns about the potential for a CVE DDOS attack on open source, overwhelming them with a flood of CVE reports. [00:24:20] Daniel comments on the growing problem of both legitimate and invalid CVEs being reported, as security scanners increasingly scan for them. Richard reflects on the global nature of the problem, and Daniel emphasizes the importance of having a unique ID for security problems like CVEs. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Richard Littauer Mastodon (https://mastodon.social/@richlitt) Daniel Stenberg Twitter (https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) National Vulnerability Database (https://nvd.nist.gov/) CVE (https://www.cve.org/) cURL (https://curl.se/) Chainguard (https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel Stenberg on the cURL project (https://podcast.sustainoss.org/guests/stenberg) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Credits Produced by Justin Dorfman (https://www.justindorfman.com) & Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Daniel Stenberg and Dan Lorenc.
One of the challenges of raising a child is teaching them how to share; one of the challenges of federal information technology professionals is teaching them to share. Today we take a look at organizations that encounter cyber threats and their efforts at sharing threat information. Sharing cyber threat information isn't a recent idea -- Executive Orders have encouraged sharing for years. February 13, 2015, talks about the goal of creating robust information sharing related to cybersecurity risks and incidents. May 12, 2021 “Removing barriers to threat sharing” that encourages the sharing of information across federal agencies. In the commercial world, people are afraid to share cyber threat information because it may make them look weak to customers. If they share that data with competition, then their commercial opponents may have a leg up on them. The federal world is just resistant but for different reasons. If a vulnerability is announced, there is a threat that federal systems that aren't patched will be vulnerable to attack. This is the challenge addressed in today's interview with federal CISOs and a commercial expert. Jonathan Feibus from the NRC looks at budget -- smaller agencies may not be able to afford to get commercial data on threats. Companies like Mitre make available public Common Vulnerabilities and Exposure (CVE) lists for free. The most recent list includes 210,558 vulnerabilities. It is indeed possible for a commercial company to have systems where vulnerabilities can be identified and remediated before they makes the CVE list.
Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Incident Sharing - Best practices from other fields and a comprehensive list of existing platforms, published by stepanlos on June 29, 2023 on The Effective Altruism Forum. Purpose of this post: The purpose of this post is three-fold: 1) highlight the importance of incident sharing and share best practices from adjacent fields to AI safety 2) collect tentative and existing ideas of implementing a widely used AI incident database and 3) serve as a comprehensive list of existing AI incident databases as of June 2023. Epistemic status: I have spent around 25+ hours researching this topic and this list is by no means meant to be exhaustive. It should give the reader an idea of relevant adjacent fields where incident databases are common practice and should highlight some of the more widely used AI incident databases which exist to date. Please feel encouraged to comment any relevant ideas or databases that I have missed, I will periodically update the list if I find anything new. Motivation for AI Incident Databases Sharing incidents, near misses and best practices in AI development decreases the likelihood of future malfunctions and large-scale risk. To mitigate risks from AI systems, it is vital to understand the causes and effects of their failures. Many AI governance organizations, including FLI and CSET, recommend creating a detailed database of AI incidents to enable information-sharing between developers, government and the public. Generally, information-sharing between different stakeholders 1) enables quicker identification of security issues and 2) boosts risk-mitigation by helping companies take appropriate actions against vulnerabilities. Best practices from other fields National Transportation Safety Board (NTSB) publishes and maintains a database of aviation accidents, including detailed reports evaluating technological and environmental factors as well as potential human errors causing the incident. The reports include descriptions of the aircraft, how it was operated by the flight crew, environmental conditions, consequences of event, probable cause of accident, etc. The meticulous record-keeping and best-practices recommendations are one of the key factors behind the steady decline in yearly aviation accidents, making air travel one of the safest form of travel. National Highway Traffic Safety Administration (NHTSA) maintains a comprehensive database recording the number of crashes and fatal injuries caused by automobile and motor vehicle traffic, detailing information about the incidents such as specific driver behavior, atmospheric conditions, light conditions or road-type. NHTSA also enforces safety standards for manufacturing and deploying vehicle parts and equipment. Common Vulnerabilities and Exposure (CVE) is a cross-sector public database recording specific vulnerabilities and exposures in information-security systems, maintained by Mitre Corporation. If a vulnerability is reported, it is examined by a CVE Numbering Authority (CNA) and entered into the database with a description and the identification of the information-security system and all its versions that it applies to. Information Sharing and Analysis Centers (ISAC). ISACs are entities established by important stakeholders in critical infrastructure sectors which are responsible for collecting and sharing: 1) actionable information about physical and cyber threats 2) sharing best threat-mitigation practices. ISACs have 24/7 threat warning and incident reporting services, providing relevant and prompt information to actors in various sectors including automotive, chemical, gas utility or healthcare. National Council of Information Sharing and Analysis Centers (NCI) is a cross-sector forum designated for sharing and integrating information among sector-based ISACs (Information Sharing an...
This episode examines the common vulnerabilities of people going into relationships such as shame, guilt, vulnerabilities, beers, and much more along with responses to listen or questions. --- Send in a voice message: https://podcasters.spotify.com/pod/show/romantictruth/message Support this podcast: https://podcasters.spotify.com/pod/show/romantictruth/support
This episode explores an open source software vulnerability scanner called CVE Binary Tool, which scans binaries and component lists in your project and reports back known vulnerabilities based on data from NIST's National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs). My guest is Dr. Terry Oda, a security researcher at Intel and the lead maintainer of CVE Binary Tool, and co-host Chris Norman, Intel Open Source Evangelist joins us to explore the inner workings of the project and discuss contribution, community and the importance of developer-focused initiatives like Google Summer of Code. Guest: Terri Oda has a PhD in horribleness, assuming we can all agree that web security is kind of horrible. She specializes in saying “no” and explaining things in varied roles as an open source security professional, a parent, and the volunteer coordinator of a summer mentoring program for Python.
ZenCon0 was our first-ever summit to celebrate what we have achieved, share ideas for growth, and envision the future of the broader #Horizen ecosystem. We welcomed partners, advisors, and community members on stage to discuss visions and expertise in the area. Event website: https://zencon.events/ ***** Twitter: https://twitter.com/horizenglobal Facebook: https://www.facebook.com/horizenglobal Instagram: https://www.instagram.com/horizenglobal/ Reddit page: https://www.reddit.com/r/Horizen/ Discord channel: https://horizen.global/invite/discord Telegram channel: https://t.me/horizencommunity Website: https://horizen.io Horizen on CoinMarketCap – https://bit.ly/ZENCoinMarketCap Horizen on CoinGecko – https://bit.ly/ZENCoinGecko
Nord Stream pipelines sabotaged in a kinetic attack. NSA and CISA issue guidance on ICS threats. Ukraine anticipates Russian cyberattacks against the energy sector. Dragos receives CVE numbering authority. CISA's ICS Advisories. Guest Dawn Cappelli of Dragos shares an update on OT-CERT. In the Learning Lab, Mark Urban and Phil Tonkin of Dragos talk about where does all that electricity that is generated go? Control Loop News Brief. Nord Stream pipelines sabotaged in a kinetic attack. Sweden Detected Two Underwater Explosions Near Nord Stream Leak (Bloomberg) Germany Suspects Sabotage Hit Russia's Nord Stream Pipelines (Bloomberg) European leaders blame Russian ‘sabotage' after Nord Stream explosions (The Washington Post) Kremlin dismisses 'stupid' claims Russia attacked Nord Stream (Reuters) EU vows to protect energy network after 'sabotage' of Russian gas pipeline (Reuters) NSA and CISA issue guidance on ICS threats. NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It (NSA) NSA and CISA explain the potential consequences of these attacks. Control System Defense: Know the Opponent (NSA/CISA) Dragos receives CVE numbering authority. The CVE Program Recognizes Dragos as a Numbering Authority for Common Vulnerabilities and Exposures (Dragos) CISA's ICS Advisories. CISA Releases Eight industrial Control Systems Advisories (CISA) Control Loop Interview. Dawn Cappelli of Dragos shares an update on OT-CERT now that it's live and providing free resources to small and medium sized organizations with OT environments. Control Loop Learning Lab. In Part 2 of the Learning Lab segment on electricity, Mark Urban is joined by Dragos' Senior Director of Strategy Phil Tonkin. Now that we know how much electricity is generated, Phil sheds some light on where it all goes.
CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. AA22-228A Alert, Technical Details, and Mitigations Volexity's Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 Hackers are actively exploiting password-stealing flaw in Zimbra CISA adds Zimbra email vulnerability to its exploited vulnerabilities catal… CVE-2022-27925 detail Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925 CVE-2022-37042 detail Authentication bypass in MailboxImportServlet vulnerability CVE-2022-30333 detail UnRAR vulnerability exploited in the wild, likely against Zimbra servers Zimbra Collaboration Kepler 9.0.0 patch 25 GA release Zimbra UnRAR path traversal Operation EmailThief: Active exploitation of zero-day XSS vulnerability in… Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15 All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. AA22-228A Alert, Technical Details, and Mitigations Volexity's Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 Hackers are actively exploiting password-stealing flaw in Zimbra CISA adds Zimbra email vulnerability to its exploited vulnerabilities catal… CVE-2022-27925 detail Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925 CVE-2022-37042 detail Authentication bypass in MailboxImportServlet vulnerability CVE-2022-30333 detail UnRAR vulnerability exploited in the wild, likely against Zimbra servers Zimbra Collaboration Kepler 9.0.0 patch 25 GA release Zimbra UnRAR path traversal Operation EmailThief: Active exploitation of zero-day XSS vulnerability in… Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15 All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
As recently as the 1990s, the information security industry lacked a fundamental mechanism to deal with the notion of sharing both hardware and software vulnerabilities using any sort of meaningful taxonomy. Previous efforts—largely encumbered by vendor-specific naming convention inconsistencies or by the lack of a community consensus around establishing classification primitives—were centered on multidimensional methods of identifying security problems without regard for interoperability; in a seminal progress report, MITRE will later refer to this budding cacophony of naming schemas as the vulnerability "Tower of Babel." Over the years, a community-led effort formally known as the [Common Vulnerabilities and Exposures (or CVE) knowledge base, will grow to become the vulnerability enumeration product that finally bridged the standardization gap. A (very) brief history of CVE In 1999, as David E. Mann and Steven M. Christey (The MITRE Corporation) were trying to gather momentum for a publicly disclosed alternative to early attempts by organizations at sharing any discovered computer flaws, the internet was already buzzing with a growing number of cybersecurity threats. Consequently, CVE's meteoric rise through corporate networks clearly meant that the industry was ripe for a departure from siloed databases and naming conventions to a more centralized approach involving a unified reference system. Thus, CVE evolved as a practical evaluation tool—a sort of dictionary, if you will—to describe common vulnerabilities across diverse security platforms without incurring the penalty of having a multitude of references attributed to the same exposure. Its subsequent endorsement will come in many forms, including being the point of origin of countless new CVE-compatible products and services originating from the vendor community at large. In addition, as the CVE initiative grew, so did the number of identifiers (or CVE entries) officially received and processed through several refinement phases and advisory boards—from a modest 321 entries back in 1999 to over 185K as of this year; the list keeps growing. A second major catalyst for integration orients us toward operating systems and their inclusion of CVE-related information to deal with software bugs and the inherent asymmetries that arise from product release to patching, as it is well understood that the presence of any high-impact vulnerabilities exponentially increases the probability of a serious breach. Finally, CVEs are the cornerstone of threat-informed defense and vulnerability management strategies in a digital world visibly marked by the presence of miscreants in practically every area, combining these under the banner of the MITRE ATT&CK® framework. This sort of objectivity distills and contextualizes the impact of security vulnerabilities together with adversarial tactics against the risk assessment backdrop, providing defenders with a unique opportunity to plan any mitigation responses accordingly. But, what qualifies as a CVE? In short, a vulnerability becomes a single CVE when the following three criteria are met: The reporting entity, product owner, hardware, or software vendor must acknowledge and/or document the vulnerability as being a proven risk and explain how it violates any existing security policies. The security flaw must be independently fixable; that is, its context representation does not involve references or dependence on any additional vulnerabilities. The flaw affects a discrete codebase, or in cases of shared libraries and/or protocols that cannot be used securely; otherwise, multiple CVEs will be required. After the remainder of the vetting process is complete, every vulnerability that qualifies as a CVE is assigned a unique ID by a body of numbering authorities (or CNAs) and posted on the CVE website for public distribution. CVE and the attack surface With the frantic expansion of the attack surface beginning some years ago came the visibility i...
In episode 72 of The Cyber5, we are joined by DoorDash Application Security Manager, Patrick Mathieu. We talk about threat intelligence's role within applications security programs, particularly programs focusing on fraud. We discuss the importance of prioritization between what could happen, as often seen in penetration testing, and what is happening, as often seen with threat intelligence. We also talk about the different types of internal and external telemetry that can be used to drive a program and discuss the outcomes that are critical for an application security program to be successful. Three Key Takeaways: 1) Application Security Overlaps and Threat Intelligence Shortcomings Fraud programs exist to save money and application security programs exist to discover and mitigate cyber vulnerabilities. However, most of the same problems are derived from the same weaknesses in the application architecture during the software development lifecycle (SDLC). Any application development team needs to know the following: Attacks: Understand the threat, who is attacking, and what they are attacking. The threat could be the server, the client, the user, etc. Custom Angles: A fraudster is always going to attack the business logic of an application, the custom rules or algorithms that handle the exchange of information between a database and user interface. Obscurity: The threat will not likely be in the news, such as a ransomware group. As a technology company grows, an application will gain interest from fraudsters who will try to abuse the application. Threat intelligence falls short in collecting against these actors because it's so specific to business logic and not an organized crime group with greater notoriety or known tactics, techniques and procedures (TTPs). 2) Common Vulnerabilities in Application Security Pertinent to Fraud While injection attacks are still common, the most common application vulnerabilities are fraudulent authentication attempts and session hijacking. Microservices (token sessions, for example) are common in applications. However, it's very challenging to know who is doing what in the application - for example, knowing whether it's a consumer, an application developer, or fraudsters. Many companies do not have an active inventory of asset management, particularly with their applications. There is little visibility for analyzing the logs on the Web Application Firewall (WAF). Every application is different and understanding what is normal versus fraudulent takes time and modeling to focus on who is attacking business logic for fraudulent gains. 3) Application and Security Engineers Must Communicate Security champion programs are critical to getting application and security engineers to communicate in a way that articulates what is normal in an application. If this collaboration does not work, the attackers will be able to collaborate quicker to execute. Adoption rates of application engineers are a better metric to monitor versus showing remediation of vulnerabilities.
This joint Cybersecurity Advisory was coauthored by cybersecurity authorities of the US, Australia, Canada, New Zealand, and the UK. This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. AA22-117A Alert, Technical Details, and Mitigations Top 15 CVEs Routinely Exploited in 2020 Risk Considerations for Managed Service Provider Customers Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses How to Manage Your Security When Engaging a Managed Service Provider CISA Capacity Enhancement Guide – Implementing Strong Authentication Implementing Multi-Factor Authentication CISA's Apache Log4j Vulnerability Guidance All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
There are infinite vulnerabilities out there that make us susceptible to instances of cyberattack, and as of this year, we're on track to have identified 20,000 of them. While there's a whole risk mitigation ecosystem in place, CVE (formerly known as the Common Vulnerabilities and Exposures Program) has played a huge role in establishing a dictionary-esque database with IDs and definitions for each known vulnerability. On this episode of What That Means, Camille is joined by returning guest Katie Trimble-Noble (Intel - Director, PSIRT & Bug Bounty) to describe the critical nature of CVE in greater detail. They cover: - The origins and evolution of CVE (formerly known as the Common Vulnerabilities and Exposures Program) - Why CVE matters, and what it does and doesn't do - How NVD (the National Vulnerability Database) and CVSS (the Common Vulnerability Scoring System) differ from and apply to CVE - How risk severity is actually scored - Who and what CVE Naming Authorities (CNA) are, why they're important, and the process of becoming one ... and more. Really interesting stuff, so tune in! *And if you like what you hear, catch an earlier conversation Camille had with Katie in WTM Episode 26: Bug Bounty and Crowdsourced Security; Alexander (RoRo) Romero joins them for a great discussion, and you don't want to miss it: https://bit.ly/3mv9yVr The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation. Here are some key takeaways: - CVE makes up an important part of the mitigation ecosystem, and its main mission is to catalog and identify known vulnerabilities; we can think of it as a sort of dictionary in that it tells you the definitions of vulnerabilities. - Although CVE does not expand on the severity of vulnerabilities, it does list which ones are in your network; NVD and CVSS help to paint a clearer picture of risk level. - While ideally everything would be patched, there has to be a hierarchy of priority; that's what makes CVE so crucial, because it enables system admins to differentiate and decide what to patch first based on risk analysis. - CVE also helps to identify vulnerabilities in a universally recognizable way. - Some vulnerabilities can intersect to form an attack chain, which is a common phenomenon that's often referred to as a “daisy chain.” - CNAs are vendors, government agencies and research organizations that have a deep knowledge of vulnerabilities because they own a product or have done extensive research on it; these CNAs can publish directly to the CVE Master List. - There are currently 161 CNAs around the world, one of which is Intel. - In 2021, 20,000 vulnerabilities are on track to be identified to date. - There is no cookie cutter response to risk, because the things that get fixed and in what order are dependent upon implementation. - It's important for consumers to put pressure on manufacturers to be transparent about vulnerabilities, because in the end, it strengthens the entire ecosystem. Some interesting quotes from today's episode: “Everyone uses CVE. And the reason that you use CVE is when you're doing your risk analysis to patch management, your system admins need to know what are we vulnerable to so that they can make that risk-based decision of what gets patched first.” “Really risk is in the eye of the beholder. I can't say what's more important for you to patch because you have certain mitigating compensating controls on your end, the implementation end of the user. The implementation really dictates how things get fixed in what order they get fixed.” “It's not the mission of the CVE program to really get into some of those kind of theoretical details. It's more sticking to the mission of the CVE program to identify and catalog those vulnerabilities so that you can enable the user end with the best risk-based program that can be available. It's all about transparency and truth.” “There was a lot of back and forth about what exactly is an exposure. So ultimately it was decided that in the best interest of the community, it was better to focus on CVEs in the form of vulnerability identification.” “The CVE Master List is really just a reflection of the known vulnerabilities; there are an infinite number of vulnerabilities out there.” “I mean, my Fitbit could have vulnerabilities and that's not something you saw 10 years ago.” “I think that we're going to continue to see a rapid increase in the quantity of vulnerabilities that have been identified. And that's why it's so important to have that community based approach, those CNAs, those people who are sitting there cataloging vulnerabilities in their systems.” “As the consumer, you want to put pressure on your product manufacturer to build a secure product.” “If you can attack that insulin pump and you can cause an insulin pump to dump all the insulin in one minute, you can kill a person. That is a frightening vulnerability and those kinds of real-world sort of impacts they're not theoretical anymore. They're very real today.” “When you disclose vulnerabilities, you make the overall ecosystem stronger and better and smarter.”
[קישור לקובץ mp3] בפרק מספר 422 של רברס עם פלטרפורמה - אני מתכבד לארח באולפן הוירטואלי שלי את ארז מטולה(רן) אז אם אתם מזהים את הקול הזה, זה בגלל שאתם מאזינים ממש-ממש-ממש אדוקים - עם ארז נפגשנו לפני 10 שנים - או יותר, אולי אפילו 11 שנים [מפה לשם כמעט 12…] - והקלטנו פרק, אז, על נושא של Penetration Testing [058 אבטחת מידע בתכנה software security, כולל הפתיח ההיסטורי למטיבי שמע], והנה אנחנו נפגשים שוב אחרי 10 או 11 שנים, כדי לראות מה התעדכן. רמז - הרבה . . . אז לפני שנכנס לעולם ה-Pen-Testing, ארז - ספר לנו, ככה בכמה מילים, עליך - (ארז) בשמחה - אני נמצא בתחום הזה של ה-Security בערך מאז שאני זוכר את עצמי . . . עוד בתור ילד, התעסקתי עם כל מיני שפות פיתוח ועם לפרוץ למשחקים ולעשות כל מיני דברים [לכאורה].היה לי ברור שזה הכיוון שלי, עוד בתור ילד היה לי ברור שאני איכשהו אשלב בין עולם המחשבים ועולם האבטחה - “הפריצות” אז קראנו לזה, עוד לא הייתה הגדרה לכזה דבר.ובאמת, בשביל לעשות את זה בצורה רצינית, היה לי ברור שגם צריך לעשות את זה בצורה “נכונה” ו”אקדמאית”, נקרא לזה.אז לאחר שלמדתי תואר ראשון ותואר שני בתחום, אמרתי “רגע, מה אני עוד יכול לעשות?”אולי אני אלך לעבוד בחברת פיתוח, כי בסך הכל אני מפתח תוכנה - אבל מצד שני, אני מאוד אוהב את ה-Security . . .אז אמרתי - רגע, בדיוק נולד תחום חדש שנקרא Application Security - אני מדבר איתך על לפני 20 שנה, כן? כשנכנסתי לעניינים - ואמרתי “איזה מגניב!”זה תחום שמשלב בין Security לפיתוח - בדיוק החיתוך הזה - ווואלה, נשמע לי מאוד מגניב, משהו שאני מאוד מתחבר אליו. ומאז גם התחלתי להתעסק עם כל מיני דברים שקשורים לכלים שפיתחתי, למחקרים שביצעתי, הרצאות שעשיתי במקומות כמו Black Hat ו-DevConאפילו יצא לי לכתוב ספר בנושא, שנקרא Managed Code Rootkitsומאז מאוד פיתחתי את התחום והשתדלתי לקחת סביבי הרבה מאוד אנשים שיטפלו בנושא הזהולפני משהו כמו 10 שנים הקמתי חברה בשם AppSec Labs - זו חברה שמתמחה בתחום ה-Application Security, ומה שאנחנו עושים בעצם זה בדיוק זה: אנחנו 15 איש, עושים Penetration Testing, עושים Code Review, מייעצים איך לכתוב אפליקציות בצורה בטוחה . . . כאשר המטרה המרכזית שלנו, בסופו של דבר, היא לגרום לעולם להיות מקום בטוח יותר, בהקשר של Software.(רן) מצויין, באמת הסטוריה ארוכה ומכובדת - לא הרבה יודעים, אבל גם אני התחלתי את הקריירה שלי כ-Pen-Tester, באיזשהו שלב . . . אחרי שסיימתי את הלימודים, זה היה אחד הדברים הראשונים שעשיתי, ואח”כ עברתי לכיוונים אחרים של Frontend ו-Backend ותשתיות - והיום Data Science, אבל כן, יש לי עדיין פינה חמה בלב לעולם ה-Pen-Testing וגם אני הייתי ב-Black Hat וכאלה, מכיר את החבורה . . .אבל בכל אופן, למי שאולי לא מכיר - הזכרנו את המילה הזו מספר פעמים: Pen-Testing: מה המשמעות? מה זה Pen-Testing? מה המשמעות של להיות Pen-Tester?(ארז) Pen-Testing זה, בצורה הכי נקרא-לזה-ככה-“מסונתזת”-שלו, זו מערכת, שיכולה להיות מערכת We-App או Mobile-App . . .ויכול להיות Pen-Test תשתיתי בכלל - Pen-Test לשרת קבצים, ל-IAS, ל-Apache . . . לא משנה מה, תמיד יש Target.בשורה התחתונה - המטרה היא להפיק דוח, להפיק רשימת Vulnerabilities, בעיות שנמצאו במערכת - על מנת שהצד השני - בדרך כלל בעל המערכת - יוכל להבין בפני מה הוא עומד.אם בעל המערכת יודע שיש לו איזושהי מערכת, ואין לו כל כך מושג אילו בעיות יש שם - אז הדבר הכי קרוב לפורץ אמיתי, שיפרוץ לו למערכת וינצל את זה - זה לקחת מישהו, נקרא לזה “מהטובים” - Penetration Tester, שבצורה מסודרת ומבוקרת ובתיאום עם אותו גורם, יבצע לו [עבורו] סוג של “סימולציה של האיש הרע”רק שבמקום שהוא באמת ינצל את הפרצות האלה ויעשה עם זה משהו, הוא פשוט בא ואחרי זה אומר לו “הנה, תראה - אלו הן הבעיות שמצאתי והנה, מההבנה שלי את הבעיות, אני גם יכול להגיד לך איך כדאי לך לטפל ולתקן אותן”.(רן) בסדר גמור, מעולה - אז אפשר לחשוב על Pen-Tester כעל “שודד טוב”: מישהו שמדמה פריצה אבל בסופו של דבר נותן לך דוח ולא גונב לך את הכסף, או את שאר הדברים . . .אז המקצוע הזה, כמו שאמרת, התחיל כבר לפני 20 שנה או יותר - אבל בוא נדבר על מה שקורה היום, זאת אומרת - מה התחדש, לפחות נאמר ב 5-10 שנים האחרונות, מבחינה טכנולוגית, מבחינה מתודולוגית . . . מה חדש בזמן האחרון?(ארז) אז קודם כל המון השתנה . . . אם אני אקביל את זה למה שהיה אז, בפגישה הקודמת שלנו לפני ~15 שנה, אז העולם היה מאוד פשוט . . .אז היתה לך טכנולוגיה אחת, בדרך כלל, שרת Web אחד . . . הכל היה מאוד הומוגני.הרוב היה רץ על IAS-ים, בדרך כלל מה שכתבו היו Web-Apps עם ASP . . . בהמשך התחיל NET.אם כבר היו אפקליציות Web-יות אז הן היו רק Java . . . היה מאוד מצוצמם.בדרך כלל, מי שעשה Penetration Testing בתקופה ההיא היו סוג של לקוחות מאוד-מאוד ממוקד - זה יכול להיות . . . בדרך כלל בנקים או תעשיות בטחוניות וכאלה.היום,Literally, כולם עושים Penetration Testing - כי כולם מבינים שזה צורך מאוד חשובוזה איזשהו שינוי מאוד מהותי שאנחנו רואים היום - שכולם עושים כל הזמן, כולם עושים להכל, לא רק לאותן אפליקציות שהן, ככה חשופות.ואם נסתכל רגע על ההבדל המשמעותי - אני אגיד את זה במשפט אחד ואני אפתח את זה: בשורה התחתונה, היום הרבה יותר מורכב לבצע Penetration Testing ממה שבוצע בעבר.היום, למשל, כשאנחנו מסתכלים על Target - אני, ברשותך, אתמקד בעולם שאני מכיר ושוחה ומומחה בו, תחום ה - Applications . . . אם אני מסתכל על Applications - ואגב Applications זה מושג מאוד רחב: זה יכול להיות Web-Apps, זה יכול להיות Mobile-Apps, זה יכול להיות IOTs, זה יכול להיות REST APIs, ו . . . You-name-it . . . כל עולם ה-Softwareבקיצור, הום הרבה יותר מורכב לבצע Penetration Testing, כי הפרופיל של ה-Penetration Tester הוא כזה שהוא צריך להיות הרבה יותר ורסטיליהוא לא יכול להכיר רק טכנולוגיה אחת, הוא לא יכול לבוא ולהגיד “אני יודע רק טכנולגויה אחת - אני יודע רק לבדוק Web-App מסוג Java!”הוא צריך להכיר טכנולוגיות שונות, הוא צריך לדעת את ההבדלים . . . מה ההבדל בין אפליקציה שנגיד מותקנת On-Prem - שזה, אגב, היה בעבר בעיקר On-Prem - לבין, פתאום, אפליקציות שהן . . . היום כמעט שאין On-Prem, רק בסביבות מיוחדות אתה תראה On-Prem.היום הרוב זה SaaS - אם ניקח את זה עוד שלב קדימה, היום הכל כמעט בנוי מעל תשתיות Cloudו-SaaS לא בהכרח אומר Cloud, יכול להיות שיש מישהו שיש לו SaaS שלא בהכרח משתמש בכל ה-Advanced Features שיש ל-Cloud Providers, כמו Storage של Encryption Keys וכמו שירותים שאתה “זורק את הקוד שלך” ויש לך איזה Lambda Function . . . אתה זורק את הקוד ואתה לא צריך בכלל תשתיות . . .אלו דברים שמאוד השתנו - ולכל סוג של מערכת, לפי ה-Deployment שלה ולפי הטכנולוגיה שלה, יש ממש סט של בעיות שאותו Pen-Tester צריך להכיר.בשורה התחתונה - ב-Pen-Testing, יש לך זמן קבוע - זה לא, ככה, “תבדוק כמה שאתה רוצה”, תמיד יש זמן קבוע - בסופו של דבר, Pen-Testing זו פעילות מסחרית, שיש לה זמן מוקצב, ואחד מהאתגרים הכי גדולים שיש ל-Pen-Tester, מעבר לטכנולוגיה, זה לדעת איך הוא “משחק נכון” עם השעות - איך הוא עושה פיזור נכון, אופטימלי, של השעות שלואיפה הוא שם את השעות אל מול ההסתברות הגבוהה למציאת Vulnerabilities - הייתי אומר שזה שם המשחק היום.(רן) אז אני מנסה, ככה, לדמיין איך נראה היום שלך, או של אחד העובדים בחברה שלך . . . אז נגיד, יש לקוח עם חוזה חדש ועכשיו יש לך, לצורך העניין, איזשהו “בנק-שעות” שאותו אתה הולך להשקיע ב-Pen-Testing - מה, זה מתחיל באנליזה? ארכיטקטורה של המערכת? שיחה עם מהנדסים, או שאתה מתייחס לזה כמו אל קופסא שחורה? זו השאלה ראשונה - עד כמה המערכת צריכה להיות “שקופה” אליך?שאלה שנייה היא האם יש איזשהו סט-כלים, Tools-of-Trade, שאיתם אתה תמיד מתחיל ראשון - ואז משם ממשיך הלאה, לפי הממצאים?(ארז) שאלה מצויינת, שאלות מצויינות . . . יש כמה שאלות שמתחבאות במה שהעלת . . .אני אתחיל, קודם כל, מאיזושהי הצהרה - בשורה התחתונה, כשעושים Penetration Testing, אפשר להגיד שהעולם מתחלק לשלושה סוגים - סוג אחד זה Black-Box, סוג שני זה White-Box, בצד השני של הסקאלה; ובאמצע נמצא Gray-Box.אני מאוד מאמין ב-Gray-Box . . . ואני אתחיל רגע בהסבר של מה כל אחד אומר . . .אז Black-Box אומר “קח את המערכת, עזוב'תי באמ'שלך ותחזור אלי עם דוח” - זה ממש, בשפה פשוטה . . .במקרה הטוב אתה מקבל Username ו-Password, יש לך נגיד את ה-URL של המערכת ו-User ו-Password וזהו, לא משתפים איתך פעולה.זו גישה אנכרוניסטית, לדעתי . . . היא מתאימה מאוד למצב שבו אתה יודע לחלוטין שבדקת את המערכת ואין שום דבר ויש סבירות מאוד נמוכה שימצאו [משהו] ועוד הרבה מאוד סיבות למה שתעשה Black-Box, יש עוד כמה . . .בשורה התחתונה, היא לא אופטימלית - אתה יכול לבזבז כמות שעות אדירה על דברים שאתה יכול לחלץ, את אותו Vulnerability, בשיחה של חמש דקות עם מתכנת, בסדר? . . . .או בלהסתכל בדיוק, לעשות Pin-point, ללכת ל-Class המתאים בקוד, כשאתה יודע איפה כנראה מסתתרת הלוגיקה שאתה רוצה לבחון - ופשוט להסתכל על הקוד ולהבין מה קורה שם.מהצד השני נמצא White-Box, שזה בעצם אומר “תן לי את הקוד, בוא נעשה White-Box Testing - תן לי את הקוד, אני בעיקר אסתכל עליו, אשאל שאלות, אסתכל על ה-Sequence Data וכו'” . . . ונמצא בעיות - נסתכל על ה-Design ונמצא בעיות.ויש את האמצע - האמצע זה ה-Gray-Box, שבעצם אומר “בוא נעשה את שניהם - בוא נשתמש בשני המכשירים, גם במכשיר ה-Pen-Testing ‘ה-Black-box-י' וגם במכשיר ‘ה-White-box-י', על מנת לאתר Vulnerabilities”שם המשחק הוא שבהינתן זמן נתון - קבוע, Fixed - אני רוצה למצוא את מקסימום ה=Vulnerabilitiesאני, כ-Pen-Tester, מאוד ארצה- כמו רופא שיכול לנתח ויש לו סט של מכשירים, שיכול להרים פעם את האיזמל הזה ופעם את ההוא וכו'אני רוצה לבוא ולהגיד שהייתי מאוד שמח, בהינתן בעיה נתונה שאני רוצה לבחון, לחשוב ולהגיד רגע, האם אני ניגש אליה במסלול . . .עם המכשיר של ה-Black, כי זה יותר נכון לבדוק אותה עם Black?אולי יותר נכון להסתכל עליה ב-White?או אולי נכון להתחיל Black, לעבור ל-White, לחזור ל-Black, לחזור ל-White . . . וככה בעצם, בצורה מאוד יעילה, לאתר את הבעיותוזה מוביל אותי לשאלה ששאלת - מהי המתודולוגיה של צורת הבדיקה? הPipline הוא כזה:עוד לפני שמתחיל Penetration Testing, נהוג לעשות משהו שנקרא Scoping - ו-Scoping זה תהליך שהוא חצי-עסקי וחצי-טכנולוגי - תהליך שבו מדברים עם הלקוח, עוד לפני שיש הצעת מחיר, לפני שיודעים מה בכלל הולכים לבדוק וכו' - ושואלים אותו “תגיד, מה מעניין אותך? מה היית רוצה לבדוק? בוא - שרטט לי גבולות גזרה, שרטט לי את הרכיבים שלך . . . האם ה-Web-App כן ב-Scope או לא ב-Scope? ה-REST API, שמדבר עם השירות-צד-שלישי שלך - כן להכניס אותו או לא להכניס אותו?”קודם כל, מחליטים איתו מה בכלל רוצים, מהם הגבולות גזרה, מבינים מה המורכבות של המערכת, כמה דפים יש לכל מערכת . . . כי הרי מערכת - לא מודדים אותה לפי משקלה בק”ג . . . מודדים אותה לפי כמות הדפים, כמות ה-APIs, עד כמה הם מורכבים . . .יכולות להיות שתי מערכות, לשתיהן עשר End-Points - אבל אחת היא סופר-מורכבת והשנייה היא כזאת פשוטה כזאת, כמה GET-ים פשוטים שמחזירים אינפורמציה . . . .אחרי שקובעים עם הלקוח את היקף הפעילות, מקבלים הצעת מחיר, הוא מאשר אותה, כל הצד הביזנסי . . . עברנו אותו.קובעים Kick-off - זה שלב סופר-חשוב ב-Pen-Test, זה שלב שבו, ביחד עם הלקוח, קובעים, בשלב הראשון של המערכת - מזמנים את כל הגורמים הרלוונטיים, בין עם זה ה-Pen-Testers וה-Product וה-Project Managers - זה מהצד שלנו, למשלומהצד של הלקוח - בדרך כלל את מי שמכיר את המוצר הכי טוב - מנהלת הפיתוח, לפעמים ה-CISO, מנהל מערכות מידע . . . גורמים מצד הלקוח.ורואים שקודם כל יש לנו את כל המידע שאנחנו צריכים - URL-ים ו-Password-ים וכל מה שצריך למערכות - רואים שהכל עובד, סופר-חשוב . . . גרוע להתחיל פעילות, ואז לגלות שפתאום אחת המערכות לא זמינה, כי אתמול ה-QA החליטו לעשות בדיקה ועשו איזו Stress-test או לא משנה מה . . . . תמיד יש סיפורים.בשלב הזה, של ה-Kick-off, זה השלב שבו נרצה גם לאושש את הנחות הייסוד שלנו, לגבי גבולות הגזרה - אני יכול לתת . . . לא חסרות דוגמאות, שפתאום מישהו מתעורר, מהצד של הלקוח, ואומר “רגע! המערכת הזו, שאמרתם שהיא ב-Scope - היא לא מוכנה, או שלא אמורים לבדוק אותה” - ויכול להיות גם מקרה הפוך, שמישהו יבוא ויגיד “רגע! מה עם השירות ההוא-וההוא? מה עם השירות שעכשיו עושה את Event-rule הזה? הוספנו את זה לפני כמה ימים וכן צריך להכניס אותו ל-Scope . . . .”אז זה בדיוק המקום שבו כל מיני דברים צפים.אחרי שעברנו את השלב הזה, מה שנהוג לעשות - ואני אחבר את זה רגע ל-Gray-Box - זה לקבוע שיחה עם אחד המתכנתים, מישהו שמכיר טוב את המערכת, וללכת איתו בשיטה של Cross-cut, לכל האיזורים שמעניינים ב-Security - ללכת איתו ממש ברמת ה-IDE, להגיד לו, למשל, “תפתח עכשיו ב-Visual Studio ותראה לי בבקשה איך אתה עושה Authentication ל-User-ים”, “תראה לי איך אתה חותם על JWT Tickets”, “קח אותי, למשל, לאותוריזציה (Authorization) - אני רוצה לראות את המודל-הרשאות שלך”או “אמרת לי שיש לך Database מסוג SQL - תגיד, אתה משתמש ב-Dynamic queries?” או “אמרת לי שאתה עובד ב-ORM - אני רוצה לראות בעיניים . . . קח אותי בבקשה ל-DALL, אני רוצה לראות בעיניים . . . “למה אני אומר את הדברים? כי אני יודע שעוד מעט אני אעשה את ה-Pen-Test, ואחד הדברים שאני אסתכל עליהם זה, למשל, זה SQL Injection . . . כשאני אבוא ל-SQL Injection, אם אני יודע, היה לי מידע פנימי, שאומר שלמשל - אין מצב ל-Dynamic queries בקוד, כי ראיתי בעין שהמתכנת משתמש ב-ORM, בסדר . . .בוא נניח שאין בעיה באיך שהוא מימש ORM . . . אז נניח שאני אומר שיש ORM - הסבירות שבה יש SQL Injection, שה-Run-time בכלל ג'ינרט (Generated) על מנת לגשת לדבר הזה - היא קלושה . . .זאת אומרת שאני יודע שאני אולי, בקטנה ככה, אוודא SQL Injection - אבל בשעות היקרות האלה, שהייתי אמור לבדוק SQL Injection - אני אשים אותן על משהו אחר . . . אני אמצא בעיה אחרת.ושוב אני מזכיר - זה משחק של הסתברויות . . . התפקיד של ה-Pen-Tester הוא לבוא ולראות איפה לשחק עם השעות שלו.אם אני אלך רגע קדימה - אז היום של ה-Pen-Tester הוא כזה שבהתחלה הוא סוג של, אם מתחיל הפרויקט, אז הוא סוג-של עושה Reconnaissance על המערכת, Information gathering . . . עובר על המערכת, אילו API-ים יש, כן WebSocket, לא WebSocket, מה עובר . . . אם זה עובר ב-JSON או עובר ב-Proto-Buff, או מה . . . .אגב, היסטוריה - פעם זה לא היה ככה, פעם ה-HTTP Request היה פשוט פרמטרים, כל מה שהיה צריך לעשות זה לשחק עם פרמטרים . . . היום פתאום זה הרבה יותר מורכב, יש Single Page authentication, אתה כבר לא יכול לעשות Crawling על כל המערכת ולדעת בצורה פשוטה, היום הדברים הרבה יותר מורכבים.ולכן, אחד הדברים החשובים ש-Pen-Tester עושה בהתחלה - הוא בונה לעצמו מודל של איך שהמערכת בנויה, והוא חושב כמתכנת - “אם אני הייתי בונה את זה . . .” - אני נכנס לראש של המתכנת ואני מבין את השיקולים שלו . . . “למה, למשל, את ה-Request הזה הוא העביר over WebSocket, ואת זה הוא העביר ב- REST API?” - כנראה שהייתה סיבה . . . כנראה שאת ה-WebSocket הוא צריך ל-Long-running Connection או משהו, ואני אראה שאם יש לו Long-running Connection, אז כנראה שבצד השני ה-User הוא כנראה Authenticated ברגע שהוא פתח Connection . . . זאת אומרת שיכול להיות שב-WebSocket אני אומתתי רק בפעם הראשונה שפתחתי את ה-Connection, ויכול להיות שכשאני אני אשלח את הבקשות הבאות, אם אני אעשה משחק על פרמטרים ואזין ID של User אחר או של Resource אחר - יש סיכוי גבוה יותר שאני אמצא אותו . . . למה? כי ב-REST API, מראש, בגלל שהוא State-less, בהקשר הזה - אז תמיד בודקים . . . יש כל מיני ניואנסים קטנים, שברגע שאתה נכנס לראש של כל מתכנת, זה נותן לך כל מיני טיפים על איפה כדאי לך להסתכל . . .בקיצור - אחרי שעשינו את כל שלב ההכנה ואיך שהמערכת בנויה ואיפה כנראה יש בעיות ו . . . אחד הדברים זה גם למפות פיצ'רים - למשל, יש Features של File upload או Download . . . מדי פעם זה Import או Export של כל מיני קבצים וזה - אז כבר אני יודע שב-Security test-cases שלי אני צריך לכסות Vulnerabilities כגון Directory traversal ו-Path manipulation ודברים כאלה . . . אם לא היה פיצ'ר כזה, שימו לב - זה Feature-Driven - אם לא היה פיצ'ר בכלל של File-ים, כנראה שלהתחיל לחפש Directory traversal היה נמוך יותר ברשימה שלי . . .זאת אומרת שאחד הדברים שה-Pen-Tester עושה - הוא גם בונה לו סוג של “רשימה ממויינת”: אילו Test-cases יותר מעניינים, ספציפית במערכת הזאת.זה קטע מאוד מעניין ומאוד מאתגר - וככל שיש יותר ניסיון, אנחנו גם רואים את זה, ש-Pen-Testers מנוסים יותר, הראשי-צוותים, הרבה פעמים . . . גם אם יש Pen-Tester מאוד טוב, שיודע לזהות בעיה מאוד מאוד טוב - הוא צריך את הניסיון של ה-Pen-Tester המנוסה יותר, שיגיד לו “שמע, יש לי תחושת בטן . . . יש לי הרגשה שבאיזור הזה יהיה לך Directory traversal . . . “הצעיר יותר, שיודע למצוא Directory traversal, ו”שד בזה” - יסתכל על המישהו המנוסה יותר ויגיד לו “איך אתה יודע?, מאיפה יש לך את התחושת בטן הזאת?” - וזה בדיוק הניסיון, שגורם לך להבין לאיפה לחלק את השעות . . . ואם אני כבר קופץ רגע לסוף, רק לשלב האחרון - אחרי שמצאנו, במהלך הפעילות, מצאנו Vulnerabilities . . .היועץ שם לו אותן בצד - ובשלב הסופי הוא כותב דוח שממפה את כל אותן בעיות, ואני אשמח עוד מעט להרחיב על מה נמצא בדוח ומה עושים איתו . . .(רן) כן . . . אז אני מניח שאיזשהו Sub-text שלא כל כך דיברנו עליו הוא שלך יש אולי איזושהי מגבלת זמן, אבל אתה יוצא מתוך נקודת הנחה שלפורץ אין מגבלת זמן . . . זאת אומרת, גם אם אין לו, כמובן, גישה ל-White-Box, אין לו גישה ל-Source-Code - או לפחות אנחנו מקווים שאין לו את הגישה הזאת, אם לא התכוונו לתת לו . . . .אבל כן יש לו הרבה מאוד זמן לשחק - אז הוא לא יודע אם יש Directory traversal או לא אז הוא פשוט מנסה, והוא לא יודע אם יש פה בעיה ב-WebSocket אז הוא פשוט מנסה - ולפורץ יש, נגיד, “אינסוף זמן”, אבל לך אין . . . יש סוף לזמן שלך, יש סוף לשעות שאותן אתה יכול להשקיע, לפי החוזה, ולכן אתה צריך לתעדף לפי סיכונים.רציתי לשאול - יש לנו בסך הכל הרבה נושאים שאנחנו רוצים לכסות והזמן קצר, כמו ב-Pen-Testing . . . - אז רציתי להתמקד על כמה דברים - ואחד הדברים המשמעותיים, אני חושב, ביותר בעולם של ה-Security activities זה ההתפתחות של שפות התכנות, זאת אומרת - אם בעבר פריצות טיפוסיות היו משתמשות ב-Buffer overflow ודריסות זכרון ודברים כאלה בשפות שהן פחות מנוהלות כגון C, היום השפות הן כבר הרבה יותר מנוהלות, ועדיין יש להן פגיעויות - אבל הן מסוג שונה.אז שפות שהן הרבה יותר מתקדמות, דוגמאת הגרסאות האחרונות של Java ו-TypeScript ו-Go ו-Rust מנהלות בצורה מאוד מאוד יפה את הזכרון שלהן, ויש להן לא מעט פיצ'רים של Security כבר Built-in בתוך השפה - אבל אני מנחש שיש להן פגיעויות אחרות . . .אז איך אתם ניגשים, נגיד, אם אתם לומדים שיש Code base שכתוב, לצורך העניין, ב-Go או ב-Rust או ב-TypeScript או בשפה מודרנית אחרת - האם אתם ניגשים לזה בצורה שונה, עם סט שונה של כלים או מתודולוגיה אחרת?(ארז) חד משמעית כן, כי בכל שפה יש את ה-Common Vulnerabilities שלה, או שאני אגיד את זה אחרת - לכל שפה יש את “המקומות האפלים האלה”, שמתכנת עלול “לירות לעצמו ברגל” . . .מה הכוונה? הסביבה והשיטה וכל ה-Community הרבה פעמים מעודד אותך לעבוד בצורה מסויימת, שהיא, בוא נגיד את זה ככה - קצת יותר מסוכנת מהממוצע, או יותר מסוכנת מבשפה אחרת . . . בעיקר בדברים דינאמיים או בדברים שאתה עושה בצורה שכזו, שנגיד שאולי בשפות אחרות לא היית עושהלמשל - בסביבות כמו Node.js ודומיהן, מאוד מאוד מעודדים אותך, יותר מבסביבות אחרות, להשתמש ב-Open Source Components . . . ו-Open Source Components, למרות שזה לא קוד שאתה כתבת, יש סבירות יותר גבוהה שבקומפוננטה (Component) שלא תפתח בעצמך, יהיה Vulnerability.גם לך תדע מאיפה הגיע ה-Package הזה ל-npm, ואתה מושך אותו ואלוהים יודע מה קורה איתו . . .אז יש סביבות שבהן ה-Package זה האיום המרכזי, ויש סביבות שבהן אתה יודע שהסביבה עצמה היא כזו שבה יש יותר סבירות לטעות . . .אגב, דיברת על זיכרון מנוהל וכו' - גם לפני 10 שנים, הרוב היה זיכרון מנוהל . . . בעיות כמו Buffer overflow ו-Format String ו-XSS וכו' - אלו בעיות שבאמת עוד בעבר הפסקנו להסתכל עליהן.זאת אומרת שהסבירות שאתה תמצא Buffer overflow באיזו Web-App הוא קלוש.לכן, רוב הבעיות מתמקדות בעיקר בבעיות טכניות - זה המונח, “בעיה טכנית”.“בעיה טכנית” זו בעיה כגון Directory traversal שהזכרתי קודם ו-SQL Injection ו-XSS ועוד כל מיני בעיות.ויש “בעיות לוגיות” . . . .(רן) כן, אני אוסיף לרשימה דברים שאני ראיתי - שימוש לא נכון ב-Encryption או בכל הספריות שקשורות ל-Encryption . . . (ארז) זה בעיות לוגיות . . . (רן) . . . ושימוש לא נכון באות'נטיקציה (Authentication) . . .(ארז) . . . לוגיות!(רן) אוקיי . . .(ארז) בדיוק . . . זה בדיוק מה שבאתי להגיד - לשם העולם הולך.אני אתן רקע - בעיות טכניות אלו בעיות שקל מאוד לפרמל (Formalize) אותן - לצורך העניין, אם אני עכשיו סורק את הקוד, קל לי, יחסית, לזהות או להגדיר Pattern של איך שנראה SQL Injectionתחשוב שמשהו רץ על הקוד, יש איזשהו Static Code Analysis, איזשהו מוצר של Security שעושה scanning, וידע לזהות איך נראה SQL Injection או XSS או כל בעיה אחרת . . .יש לזה Pattern בקוד, אני יכול להגדיר ולהגיד “אם אתה רואה קוד שיש בו Class של SQL Query ויש “הדבקת String-ים” בלה-בלה-בלה . . . “ - אני יכול לפרמל, לוגיקה כזו - “… - אז יש בעיה”.אלו בעיות טכניות.בעיות לוגיות, מהצד השני, הן בעיות יותר קשות - כי מכונה לא יכולה להסתכל על מכונה ולהכריע . . . זה הולך כל כך רחוק, עד כדי בעיית עצירה של Turing . . . זאת אומרת שאנחנו לא נוכל אף פעם, גם אם יש הרבה חברות AI שמספרות לנו כל מיני סיפורים - זה לא יקרה . . .בבעיות לוגיות, מכונה לא תוכל להכריע - זאת אומרת, יש דברים שהיא תוכל אולי, אני לא ראיתי . . . - אבל לדוגמא, הכי פשוטה:מי אמר שעל שדה מסויים, סופר-רגיש, צריך להיות Encryption? מי אמר שעל השדה הזה ב-Database או על השדה ההוא ב-Database צריך להיות Encryption? זה לא צריך להיות Encryption . . . מכונה לא תוכל להגיד לך את זה, בסדר?נכון שיהיה אפשר להסיק . . .(רן) אתה עושה את החלוקה בין “לוגיות” ל”טכניות” מנקודת הראות שלך, כ-Pen-Tester . . . דברים שבצורה טכנית, באופן טכני, אני יכול למצוא - ודברים שבאופן טכני אני לא יכול למצוא, ולכן אתה קורה לזה “לוגי”.אבל כמפתח, אני לא כל כך מודע לחלוקה הזאת . . . מבחינתי, הכל זה . . . לא יודע אם אפשר לקטלג את זה, אבל הכל זה בעיות לוגיות, כנראה . . . - זאת אומרת, מימוש לא נכון, הליכה כנגד ה-Best-Practices, בהרבה מקרים, או סתם חוסר הבנה או חוסר ידע שלי . . .(ארז) כן, תראה - הטרמינולוגיה של “בעיה טכנית” או “בעיה לוגית” היא לא טרמינולוגיה . . . זו טרמינולוגיה שבאה מעולם הPenetration Testing - זה מונח מקובל ונהוג לעשות את החלוקה הזאת.בשורה התחתונה - אתה צודק, מנקודת מבטו של מתכנת “הכל לוגי, כי הכל זה קוד שאני כותב”, ברור . . .אבל בהקשר של בעיה, כן - רוב הבעיות שאנחנו רואים היום הן בעיות כגון זה שלא שמת Encryption או שעשית Encryption לא נכון, או שלא עשיתי אות'וריזציה (Authorization), בסדר? לא עשית אות'וריזציה או שיכול להיות שהאות'וריזציה שלך לא טובה . . . .או למשל - מישהו שעושה Parameter Manipulation על איזה ערך, כן? . . . והוא נותן ערך Valid-י, זאת אומרת, תחשוב רגע שיש איזשהו ערך שאני מעביר - הערך עצמו, כערך, הוא אחלה ערך! הוא עובר RegExr, הכל תקין . . .אממה, לי אסור לשלוח אותו - הוא ה-CartID שלך, לא שלי, לדוגמא . . . . שזו בעיה לוגית, זו בעיה שמאוד קשה לעלות עליה מבחוץ - אתה ממש צריך להבין את ה-Business-Logic של המערכת.וזה, אגב, משהו שאומר שאיפשהו, ככל שהטכנולוגיה תתקדם ויהיו ל-Pen-Testing יותר שיטות ויותר כלים - תמיד אנחנו נצטרך Human בתמונה . . .(רן) אז נושא אחד שככה קצת נגעת בו מקודם, כשדיברנו על Node.js - הזכרנו קוד פתוח והזכרנו Package Managers, ורציתי קצת להכליל את זה ולדבר עוד כמה דקות על הנושא של Supply-Chain Attacks - התקפות על שרשרת האספקה.עכשיו, מי שמגיע מעולם התפעול מכיר שרשרת אספקה - זה אוניות, זה משאיות, זה מטוסים, זה מחסנים וכו' . . . . אבל מה, למעשה, זו שרשרת האספקה בעולם התוכנה? אז בעולם התוכנה, שרשרת האספקה כוללת כמה דברים - זה כולל את כל ה-Tool-ים שעוזרים לנו בסופו של דבר לכתוב את התוכנה ולדלבר (Deliver) אותה, אם זה IDE, אם זה ה-Package Manager, אם זה חבילות ה-Open-Source השונות, ה-CI, ה-Deployment System, ה-Docker ו-Kubernetes וכו' - כל מה שעוזר לנו בסופו של דבר - כל מה שהוא לא התוכנה שלנו, אבל עוזר לנו לייצר את התוכנה.ובזמן האחרון - טוב, אני לא יודע אם זה בזמן האחרון אבל שאולי זה רק עלה יותר למודעות בזמן האחרון - יש לא מעט התקפות על שרשרת האספקה הזאת, אם זה התקפה על ה-CI, אם זו התקפה על החבילות, Hijacking וכו' . . .איך זה משנה את עולם ה-Pen-Testing?(ארז) תראה, בשורה התחתונה אני אגיד שזה משהו שחלקית אנחנו . . . זאת אומרת, אפשר להתייחס אליו ב-Pen-Testing.ולמה אני אומר את זה? כי אם יש בעיה, כשהבעיה הזו היא, לצורך העניין, חשופה כלפי חוץ - אז אתה תראה אותה ב-Pen-Test, וזה לא משנה אם המתכנת טעה ועשה Bug של Security, שזה רוב המקרים, או אם המתכנת בכוונה הזריק וקטור לקוד - נדיר, אבל קורה . . . .או אם זה סוג של . . . מישהו אחר, נגיד, הכניס בכוונה Bug איפשהו - בסוף זה יצא כלפי חוץ, זאת אומרת - ב-Pen-Testing אתה אמור לזהות את הבעיות שקיימות.מה אתה לא תזהה ב-Pen-Testing? אם למשל מישהו החביא, איפשהו ב-Supply-Chain עמוק בפנים, איזשהו Backdoor שכזה . . . אין סיכוי שאתה תעלה עליו, אתה יודע . . .אתה לא יכול לחזות, למשל שאם אתה תוסיף איזה ערך מאוד-מאוד-מאוד מיוחד ל-Request - פתאום ה-Backdoor יתעורר . . . זה לא משהו, זה לא סביר שאתה תעלה על זה ב-Pen-Test.אגב - מאוד יהיה קשה לעלות על זה גם בשיטות אחרות.לכן Supply Chain אלו בעיות מאוד קשות . . . כי תחשוב רגע, הזכרת למשל אוניות ומחסנים וכאלו - בעולם ה-Software זה יותר באמת “מישהו החביא לי איזושהי הפתעה, עוד לפני שאני, כמתכנת, קימפלתי ל-Production בכלל, מישהו החביא הפתעה עמוק בתוך ה-Complier” . . . סתם דוגמא - בתוך ה-IDE החביאו לי איזושהי הפתעה, החביאו לי בתוך ה-Docker Image . . . תחשוב - אם אני מושך איזה איזשהו Docker Image, והוא כבר בפנים החביא לי הפתעה . . . הקוד שלי סבבה, פצצה - עבר Code Review, עבר Pen-Test - על הסביבה הרגילה . . . אבל כשהוא רץ על ה-Docker Image הזה, אני בבעיה.לא חסרות סיבות שכאלו, שבהן אתה אומר שיכול להיות שאיפשהו לאורך הדרך מישהו שתל לי איזה משהו - ולכן, בהקשר של Supply Chain, מאוד חשוב לשים לב שבאמת, זה מאוד טריוויאלי - שכל השרשרת מאובטחת.שאת ה- Package-ים אתה לוקח ממקום תקין, שאת הסביבה אתה מעלה נקי . . . Docker Image? אין בעיה, אבל אל תביא Docker Image שמישהו אחר אפה, בוא תאפה אתה . . . תעשה את ה-Buildיש בפנים Binaries מיוחדים? תקמפל אתה . . . וכמובן שים לב מאיפה אתה מושך את הקוד . . .היום זה גם מאוד קל, כי היום להרבה מאוד דברים יש Digital Signature - פעם לא היה לנו Digital Signature כמעט על כל דבר, והיום יש.היום אתה יכול לוודא שהחבילה הגיעה מה-Trusted source שאתה מצפה לו.היום אתה יכול לאמת חתימות של כמעט כל דבר שיש.אפילו היום אתה יכול - הנה דוגמא למשהו שפעם לא היה - CDN, בסדר? נהוג למשוך כל מיני Static content מ-CDNהיום זה כל כך טריויאלי . . . פעם הייתה שם את הכל אצלך, את כל ה-JavaScript-ים והכלהיום יש יכולת להגיד, אני בתור מפתח המערכת שלי - כשאני מושך External backend, כשאני מושך למשל jQuery ממקור חיצוני, אני לספק את החתימה שלו כחלק מה-HTML - לא הייתי יכול לעשות את זה בעבר.בעבר הייתי צריך למשוך JavaScript ולכניס אותו “לקודש הקודשים” - ל-Domain שלי, בתוך ה-Domain שלי, להכניס משהו מבחוץ שאין לי מושג מאיפה הוא בא, אין לי מושג האם מישהו שינה אותו מאיפה שמשכתי אותו וכו'היום אני יכול ממש לספק Hash עם חתימה של מה שאני מצפה לקבל - ואם ה-Browser יקבל Package לא מתאים הוא ידחה אותו, הוא לא יטען אותו - שזה נהדר.יש הרבה מאוד שיפורים מהסוג השזה, שפעם לא היו לנו - וזה אגב אחד הטריקים שאני ממליץ להשתמש בהם.(רן) זה באמת מביא אותי לשאלה הבא - אולי לא יהיה לנו זמן לדבר על ה-Report שאתם מייצרים, אבל האם, אחרי שמצאתם אוסף של Vulnerabilities - רגישויות, פגיעויות - האם אתם גם הולכים הלאה ומספקים בסופו של דבר פתרונות, או מיטיגציות (Mitigations) לאותן בעיות?(ארז) יש הפרדה בין עולם ה-Pen-Testing לעולם הייעוץ - זאת אומרת שכשאתה עושה Penetration Testing, יש לך Mission - וה-Mission שלך זה לבוא ולמצוא כמה שיותר בעיות ולהנגיש אותן, זה חלק מהמשימה.מה זה אומר להנגיש אותן? - זה אומר שאני צריך לקחת בחשבון שמי שקורה את הדוח הוא לא Penetration Tester, ואני לא יכול לדבר בשפה שלי . . .אני צריך להסביר לו את הבעיות, אני צריך להסביר לו איפה הבעיות . . .אני צריך לשים לב לא ליפול לטעות הנפוצה - שהוא יחשוב שהבעיה שנתתי לו היא רק בדוגמא מסויימת, ויתקן רק אותה . . .ואחד הדברים שחשוב מאוד להנגיש במסמך זה את ה-Mitigations . . .אז לשאלתך - כן, נהוג לתת Mitigations במסמך, להגיד איך ניתן לטפל בזה - אמרתי לך, סתם לדוגמא, שה-Encryption שלך לא טוב - אגב יש לזה שם, משחק מילים: En-crap-tion . . . אם אתה עושה En-crap-tion, וה-Encryption שלך לא טוב, אז אחד מהדברים שאני ארשום לך במסמך זה שהשתמשת, למשל, בהצפנה סימטרית מסוג . . . . וה-Encruption mode שלך הוא ECB - זה לא טוב, תחליף בבקשה ל-CBC, ויכול להיות שאני אפילו אתן לך את ה-Flag המתאים בשפה שלך, כי אני, נגיד, יודע באיזו שפה אתה עובד וואני אתן לך גם ממש דוגמת קוד שעובדת.זה החלק של הדוח, זה החלק של ה-Pen-Test - מי שמקבל דוח, צריך שיהיה לו את כל מה שצריך בשביל לתקן את זה.יש לקוחות ויש מקרים שבהם באים ואומרים “תשמע - בואו תסייעו לי גם ממש ליישם את ההמלצות”אבל הנחת הייסוד היא שלא - אתה לא חייב להישען עלינו בשביל זהמי שעושה Pen-Test אמור לקבל את כל המידע ואמור לקחת מישהו שמבין מספיק, מפתח נורמלי, שידע מה לעשות עם הדברים - וכל מפתח נורמלי יידע איך לעשות את המיטיגציות (Mitigations) בהתאם להנחיות שהוא קיבל.(רן) אוקיי, הזמן שלנו כבר קצר ואני עדיין מאוד סקרן, אז אני אבחר לעצמי עוד שאלה אחת וננסה לענות עליה - בעצם, היום הרבה מאוד שירותים נשענים על שירותי-צד-שלישי - אם זה לצורך, נגיד, Monitoring אז Datadog וכאלה, אם זה לצורך תשתיות אז AWS או GCP או Azure . . . זאת אומרת, הרבה מאוד הישענות על שירותי-צד-שלישי, והשאלה האם זה גם משהו שאתה לוקח בחשבון כשאתה בא לעשות Pen-Testing? זאת אומרת - לא רק את הקוד שאני כתבתי, אלא גם את כל השירותים האחרים שבהם אני משתמש ואולי ה-Data שאני שולח אליהם, ואולי הפגיעויות שלהם, עצמם . . . לצורך העניין יש Vulnerability ב-PagerDuty - איך זה הולך להשפיע עלי?(ארז) שאלה מצויינת . . . מה שאתה מדבר עליו, יש לו שם כללי בעולם שלנו: זה נקרא TCB, שזה Trusted Computing Baseזה בעצם אומר אילו דברים מבחינתך זה הבסיס, שכהנחת יסוד אתה אומר “את זה אני לא בודק” . . .לדוגמא - כשאתה עכשיו עושה Pen-Test לאיזה Web Application שכתוב ב-Node.js, אתה לא תלך ותבדוק את המערכת הפעלה שלו . . . למה? כי אתה אומר ש”הנחת היסוד שלי היא שהמערכת הפעלה שלו היא תקינה” . . .כמובן שאתה יכול לעשות Pen-Test על לראות שאין Vulnerabilities במערכת הפעלה, אבל באנלוגיה, נגיד - אני עכשיו עושה Pen-Test על איזשהו Web App, שפתאום משתמש בשירות צד-שלישי . . . נגיד שהוא משתמש עכשיו בשירות שליחת SMS של Twilio או לא יודע מה, משהו של צד שלישיאני לא הולך לעשות עכשיו Pen-Test על Twilio . . . מבחינתי, Twilio הוא בהנחת יסוד שלנו, והוא צד שלישי שהוא Secure.קודם כל - אני לא יכול ללכת עד אינסוף ולבדוק את כל הלוויינים סביבי . . . זוכר? זה משהו עסקי . . . דבר שני - חוקית, אני לא יכולדבר שלישי - גם אם הייתי יכול, הם היו אומרים לי “לך מפה” . . .דבר רביעי - תשמע, זו אחריות שלהם . . .[כל זה לא משנה אם הטלויזיה מאזינה . . . ]מה שכן עושים זה מסתכלים על ה-Interface, זאת אומרת - אם אני עכשיו עובד עם צד-שלישי, אז כן אני אסתכל - וזה כן דברים שמסתכלים עליהם- כן אני אסתכל שאם למשל אני עובד מולו, אז אני עובד עם HTTPS, לדוגמא.כי אני רוצה לוודא שה-Data עובר לשם כשהוא Encrypted בצורה נכונה.כלל נוסף - אני עובד מולו אז אני רוצה לעשות Server Authentication.זה Concern שלי, אני רוצה כשכשאני הולך לצד שלישי, לעשות אות'נתיקציה (Authentication) שלו, אני רוצה לוודא שכשאני עובד עם שירות צד-שלישי, אני רוצה לוודא שבאמת אני עובד איתו ולא עם איזה Man-in-the-Middle . . . .למשל, אחד הדברים שעולים ב-Pen-Test זה שבזמן הפיתוח, כיבו את ה-Certificate Validation . . . למה? כי בפיתוח לא היה לי Certificate של צד-שלישי כלשהו וביטלתי, עשיתי . . . . דרסתי את המתודה שעושה Certificate Validation, ואמרתי “ניתן True - עזוב אותי באמא'שך . . . פונקצית-עזוב'תי-באמא'שך . . . ”וכשבאים ל-Production - “וואלה מעולה - זה עובד!”, כי זה עבד גם מקודם . . . .אלא הם דברים שב-Pen-Test, למשל, כן בודקים אותם - כי כשמכניסים Man-in-the-Middle, ורואים שכשאני מגיש Certificate שהוא לא חתום ע”י ה-CA שאותו Client אמור לוודא, אז באמת אני מבין שיש בעיה . . . בקיצור - לא בודקים את הצד-שלישי, כן בודקים את האינטגרציה מולו ואת ה-Interface-ים מולו - מה נשלח? איך מאמתים אותו? כו' . . .(רן) אני מניח שבהקשר הזה, יש גם עניין של זליגה של מידע פרטי - אולי אם שלחת SMS, או שאתה שולח רק את הפרטים שאתה רוצה ולא בטעות מידע של מישהו אחר . . . (ארז) נכון, וברשותך אני אקח דוגמא מעולם ה-Mobile Apps - בעולם ה-Mobile Apps אתה רואה שפתאום, Out-of-the-blue . . . כאילו, זה בדיוק מהכיוון ההפוך, כן? . . . אם מקודם אמרתי שאני יודע שיש תקשורת לשרת מסויים, פתאום אני מזהה תקשורת שהולכת לאיזשהו שרת כלשהו, שאין לי מושג מי הוא, מאיפה הוא, מהו . . . ומסתבר שה-Vendor, ברוב נחמדותו, הוסיף בפנים לוגיקה של Monitoring ושל טלמטריה . . . ולפעמים זה נעשה אפילו בצורה זדונית.אגב, אחד מה-Side-effects של Pen-Test זה פתאום, במקרה, לזהות תקשורת שבכלל לא ידענו שהיא קיימת, שמגיעה מתוך איזשהו SDK שלקחנו והכנסנו פנימה . . . אנחנו רואים את זה מלא, וזה אגב אחד הדברים ש”על הדרך” פתאום אנחנו יכולים להאיר עליהם . . .לפעמים, אגב, זה לא עניין של Security - לפעמים אנחנו, על הדרך, רואים משהו שעוזר לצד השני והוא אומר “וואלה, לא ידעתי בכלל שדברים כאלה קורים . . . .”(רן) אז לדוגמא, יכול להיות מקרה שבו אתה מתקין SDK בתוך ה-Mobile-App שלך ובלי ידיעתך הוא שולח כל מיני אנליטיקות על ה-User שלך, אולי אפילו PII, זאת אומרת Personally Identifiable Information על ה-User-ים שלך, בלי שבכלל ידעת ובלי, כמובן, שהסכמת.(ארז) נכון - ופתאום אתה מגלה שאתה לא עומד ברגולציה . . . שבעצם אותו צד שלישי, אותו Package תמים, שכל מה שהוא אמור לעשות זה לספק לך איזשהו חישוב של משהו מסוייםפתאום אתה מגלה שהוא, ברוב חוצפתו, לוקח את אותו מידע של ה-End-user ושולח לשרת שלו . . . עכשיו - גם אם זה לא בצורה זדונית, גם אם הם צריכים את זה בשביל לשפר את המוצר שלהם או לבנות איזשהו מודל Data-Science כזה או אחר - אני בבעיה, אני כ-Vendorכי פתאום הוא גורם לי לא לעמוד ברגולציה שאני אמור לעמוד בה - בגלל שהוא שולח את הנתונים של הלקוחות שלי אליו . . . זה מסבך אותנו וכמובן שהרבה פעמים זה גם גובל בבעיות Security - אבל זה חלק מהדברים שעלולים למצוא ב-Pen-Test על הדרך.(רן) כן, ברוראז כמו שאמרנו קודם - זמננו קצר ואנחנו צריכים לסיים.אז תודה, ארז! היה כיף והיה מעניין - ותודה על העדכון, אני מקווה שניפגש שוב ולא בעוד 10 שנים . . . .אז עולם ה-Pen-Testing מתחדש, אני מניח, כל יום, וזה מרתק - וזהו. תודה!(ארז) בכיף - שמחתי מאוד לבוא, שמחתי מאוד לדבר, וכמובן שאם יש עוד נושאים מעניינים אז אני בכיף אבוא וארחיב עליהם, תמיד כיף לדבר ולספר ככה את מה שבסופו של דבר עובד בצד הזה, כי אני גם רואה שברגע שגם עולם הפיתוח רואה ומבין את השיקולים של ה-Pen-Test, בסוף זה נותן יכולת טובה יותר לבצע את הפעילות הזאת.תודה ארז, ולהתראות! האזנה נעימה ותודה רבה לעופר פורר על התמלול!
A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world.
A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world.
hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 46 today we are discussing about The next two exploits we're going to discuss are types of web application vulnerabilities.These are known as cross-site scripting and cross site request forgery. Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.When this occurs the attacker's trying to gain elevated privileges, steal information from the victims cookies or gain other information stored by the victims web browser.During a cross-site scripting attack,the victim is the user, not the web server.The web server's already been compromised possibly.A cross-site scripting attack exploits the trust that exists between a user's web browser,and the web server that they're visiting.This often happens because the attacker's able to insert some malicious code into a web page that's being delivered from the server to the victim or client.There are three types ofcross-site scripting attacks:stored and persistent, reflected, and DOM-based attacks.A stored and persistent cross-site scripting attack attempts to get data provide by the attackerto be saved on to the web server by the victim.Now in a reflected cross-site scripting attack, the attempt here is to have a non-persistent effect which is activated by the victim clicking on a link on that site.In a DOM-based attack, this is going to attempt to exploit the victim's web browser itself and it's often called a clientside cross-site scripting attack.This comes from the fact that the user's document object model or DOM is vulnerable to the attack.The DOM is part of the user's web browser.To prevent cross-site scripting attacks,programmers should use output encoding of their web applications, to prevent codes from being injected into them during delivery and they should also use proper input validation to prevent the ability for HTML tags to be inserted by users when they're entering information on a web form. As a user, you can help protect yourself from cross-site scripting attacks by increasing the security settings from your cookie storage and disabling scripting language when you're browsing the web.Just like we talked about back in the webbrowser configuration lesson of application security. Whereas cross-site scripting focuses on exploiting the trust between a user's web browser and a website. Cross-site request forgery instead exploits the trust that a website has in a user.In a cross-site request forgery,the attacker forces the user to execute actions on a web server that they already have been authenticated to.For example, let's say that you've already logged into your banks website and provided your username and your password.At this point you're already authenticated and the website trusts you.If an attacker can send a command to the web server through your authenticating session,they are forging the request to make it look like it came from you.The attacker in this case will be unable to see the web server's response to his request or commands but he could still use this to transport funds from the victim, change their password or do a myriad of other requests on the victims behalf. To prevent cross-site request forgery from being successful, programers should require specialized tokens on web pages that contain forms.Such as captions, utilize special authentication and encryption techniques, scan any XML file submitted by a user, and requiring cookies to be submitted twice for verification to ensure they both match and have the proper integrity.
In this in-depth Security Awareness Training, host Jeremy Cherny explores how a security incident can occur, as well as how people can best protect their data to remain secure. What is a Security Incident? A Security Incident is any breach in your CIA. CIA is an acronym for these 3 areas with the first being the Confidentiality of your internal and/or external data or systems meaning that a breach occurs when someone has access to your data that shouldn’t. The “I” stands for the Integrity of your data and systems so it’s safe from corruption and unauthorized changes. Lastly, the “A” refers to the Availability of your systems and data so they are working and ready when you need them. So when you think of security breaches, think of the Confidentiality, Integrity, and Availability of your data and systems. Remember that security is only as good as your weakest links so make sure that you have all your blind spots covered! Common Vulnerabilities and Exposures (CVE) A CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. Every time there is a new security hole discovered in a device or software, it is given a CVE number. Over time, these vulnerabilities and security holes have been being discovered at a much higher rate which is one of the reasons why cybersecurity is so crucial in today’s day and age. Back in 1999, there were only 1,000 or so CVE’s that had been discovered versus in 2018 alone where there were over 16,000 CVS’s discovered. Another point to be made about CVE’s is that these are only the ones we know about and there could be thousands of other vulnerabilities that are out there which just have yet to be discovered. Face The Facts It’s almost certain that you will face multiple security incidents over time and although it may not be a big issue, it is still important to take the necessary steps to reduce the number and severity of security incidents. It is also important to note that even though steps can be made to reduce the number of incidents, you can’t eliminate them all because over time nothing is 100% effective. Although security incidents are becoming more complex every day, education, planning, and preparation are the only actions you can take to significantly reduce the number and scope of these incidents as well as to recover from any security incident you may face. Lastly, we advocate for you to trust no one and to always verify your security with a third party to ensure that you are staying safe. Top Reasons You Will Have A Security Incident Using Vulnerable Technology - If you use old technology that hasn’t been updated with security patches, or new technology which hasn’t had security patches applied can lead to vulnerability. Failure To Follow Best-Practices For Installation & Configuration - For example, many in-home routers will have a default password set up and a lot of people never change that password where the best practice would be to go in and change it to protect yourself. Lack of Written Policies - Written policies help you have a plan in place to protect yourself from security incidents. Lack of Education For Everyone In Your Organization - When people don’t know what they should be looking out for, they’re far more likely to stumble into something dangerous. Failure To Plan & Prepare - Planning and preparing is crucial to avoiding security incidents, as well as recovering when one does occur. Failure To Monitor, Audit, and Maintain Policies and Systems - Consistently ensuring that all your systems are functioning properly will decrease vulnerabilities. Security is Inconvenient - Many people will avoid security because it’s an extra password, or it takes more time so they bypass it leading to a higher chance of a security incident. People Are Human - This is the biggest reason for all security breaches as everyone at some point will click something they shouldn’t by accident. What is Security Awareness Training? Security Awareness Training is training and awareness for your computer users, training as part of onboarding new employees, newsletters and alerts about new security threats and scams, testing and reporting, targeted education for critical roles and repeat offenders, and lastly, ongoing education that never stops.
Following Microsoft’s news about Hafnium, the Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs): CVE-2021-26855 – server-side request forgery (SSRF) vulnerability in Exchange.CVE-2021-26857 – insecure deserialization vulnerability in the Unified Messaging service.CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange.CVE-2021-27065 – post-authentication arbitrary file write vulnerability in Exchange.If successfully exploited, these CVEs would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. A large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC is encouraging these organisations to do so urgently. We cross to the US and speak with Mat Gangwer, Senior Director, Sophos Managed Threat Response and review the Microsoft Exchange hack and threat hunting advice. Full article, including updated ESET research: https://australiancybersecuritymagazine.com.au/microsoft-outlook-hack-and-advice-for-threat-hunting/ #Exchangehack #microsoft #cybersecurity #cyberbreach #exchange #CVE #Sophos Recorded Friday 12 March 2020 - video version is available here https://mysecuritymarketplace.com/av-media/microsoft-exchange-hack-and-advice-for-threat-hunting/
Sponsor by SEC Playground แบบสอบถามเพื่อปรับปรุง Chill Chill Security Channel: https://forms.gle/e5K396JAox2rZFp19 Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support
Last year, 2020, we saw an increase of Common Vulnerabilities and Exposures (CVEs) reported from 2019. What's interesting is the time of the year that most were reported. This episode talks about why that could have been. Be aware, be safe. Primary Partner - WeHackPurple.com Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Binary Blogger Website Security In Five Website Security In Five Podcast Page - Podcast RSS Twitter @securityinfive iTunes, YouTube, TuneIn, iHeartRadio,
Mit Philipp und Christian haben wir uns heute über Security unterhalten und am Schluss noch einen kleinen Ausflug Richtung Youtube-DL unternommen. Wahrscheinlich werden wir auch zu diesem Thema noch ein paar Mal zusammen setzen müssen :). Shownotes Unsere E-Mail für Fragen, Anregungen & Kommentare: hallo@python-podcast.de Security Vorlesung Netzwerksicherheit (HHU) Boxine (Toniebox..) Smashing The Stack For Fun And Profit Von-Neumann-Architektur / Harvard-Architektur Address space layout randomization / Executable space protection SQL injection psycopg Denial-of-service attack Ransomware-Befall Uniklinik Düsseldorf Adversarial machine learning Ada Ariane V88 Absturz Zertifizierung nach Common Criteria / Evaluation Assurance Level Pentest Web Application Firewall (WAF) xkcd zu security Common Vulnerabilities and Exposures (CVEs) Episode 18: Ten Years of Flask: Conversation With Creator Armin Ronacher Command injection etc Directory traversal attack graylog / kibana elk stack / sentry Django regex denial of service security advisory Indiauth für datasette / oauth2 / openid connect Defense in depth Password hashing via: scrypt / pbkdf2 Picks / Youtube-DL youtube-dl Origins of the youtube-dl project Musikindustrie schießt mit der Schrotflinte auf Open Source / Philipp Hagemeister, former YouTube-dl maintainer re: takedown Streisand-Effekt dateutil bcrypt Tonies - offene Stellen Öffentliches Tag auf konektom
Managing vulnerability disclosure can be a contentious issues: do you keep your vulnerability under wraps until you have a patch ready to distribute, or do you make it public sooner? In this episode Blair speaks to Gallagher's Chief Technology Officer – Security, Steve Bell, about Gallagher's journey to becoming a responsible vendor. They discuss Mitre's Common Vulnerabilities and Exposures, or CVE list, as well organisational and cultural considerations for becoming both responsible and secure by design. While there's no manual for this, Steve's expert guidance can help guide your own quest to becoming a responsible vendor. CREDITS Host: Blair Crawford, Co-founder and Managing Director, Daltrey Guest: Steve Bell, Chief Technology Officer - Security, Gallagher Producer: Dan McHugh The views and opinions expressed by guest speakers do not necessarily reflect the views or position of Daltrey. WANT MORE IDENTITY NEWS? Read our blog and subscribe to our newsletter www.daltrey.com.au/blog/ Follow us on LinkedIn www.linkedin.com/company/daltrey/ Follow us on Twitter #IdentityToday twitter.com/DaltreyID LET'S CHAT If you have press inquiries, a listener question or want to be a guest on the show, email us at hello@daltrey.com See omnystudio.com/listener for privacy information.
Threat modeling is a key to securing businesses, governments and individuals in a hacker-happy world. Its principles can be applied to disaster risk reduction (DRR), climate change adaptation (CCA) & other fields. Listen to Cybersecurity expert Adam Shostack in "Cybersecurity, Threat Modeling & in an Up & Down World" (Multi-Hazards Podcast S02 E19). Check out the Study Guide, click on the top left "PDF": https://multi-hazards.libsyn.com/cybersecurity-threat-modeling-in-an-up-down-world-conversation-with-adam-shostack Adam Shostack Bio Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the Common Vulnerabilities and Exposures (CVE) system and many other things. He currently helps many organisations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the Security Development Lifecycle (SDL) Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. If you'd like help threat modeling, or engineering more secure systems in general, take a look at his consulting pages at https://adam.shostack.org.
IT and web security has always been an interest of mine. Given that it was time for me to personally learn more about WordPress website security I decided to do a presentation for the Las Lajas WordPress meetup group. Website security is obviously relevant to the world of small biz and creative entrepreneurship, so this episode is based on my presentation. I also have the outside perspective of Beto Rubio, Founder of Servidores Rapidos, a Panama based web hosting company. Dealing with managing WordPress hosting, operations development and many other things IT related, Beto knows a thing or two about website security. In this conversation we discuss commonly overlooked practices, the top 5 WordPress security issues, common hacking attempts that use stolen passwords, hosting considerations and much more. Visit MorningTempo.com for show notes and more.
Sponsored By: Panelists Richard Littauer | Eric Berry | Justin Dorfman Guest Georg Link (http://www.georglink.de/) Bitergia (https://bitergia.com/) | CHAOSS (https://chaoss.community) Show Notes In this episode we talk with Georg Link, an Open Source Strategist. He is Director of Sales for Bitergia and Co-Founder, Governing Board Member of the Linux Foundation CHAOSS Project. He’s a native of Germany, but currently resides in Omaha, Nebraska. 04:21 Georg explains how he spent his last five years as he joined the PhD program, how he dove into Open Source, and his research focus. 5:25 The topic of metrics is discussed for Open Source. 07:52 The roots of the CHAOSS Project is explained and how it started at the Open Source Leadership Summit in 2017. 10:36 The topic of Red Hat’s contribution to Prospector as part of Project CHAOSS is explained and how it took the approach of taking metrics and providing an interface for analysis. 11:55 A question was posed to Georg about his perspective of his view when he started getting into the data behind Open Source and what kind of revelations he had. 15:29 One of the guys wants to know what Georg’s expectations are of these projects when they use metrics outlined and what will they do with it. 19:09 Georg talks about the two main reasons why he sees the metrics being implemented. 19:26 Justin brings up how Drupal does a comprehensive state of their community once a year and how they really go into metrics and Richard wants to know what metrics we have, and Georg expands on this topic. 22:26 Georg shares checking out CHAOSS.community/metrics to see shared metrics. 25:10 Richard wants to know how people who are not in an OSPO, who have a project, or are solo maintainers, or a team of people working on a project, how can they use these metrics to make their code better in the long run? Georg gives his recommendations on how to do this. 29:08 Georg explains who metrics are useful to and a question was asked from one of the guys as to how people can learn about different things from metrics without getting involved in the CHAOSS community if they don’t have time. Georg gives his advice. 33:38 Georg chats about what was different at the recent CHAOSSCON, what he’s focused on, and what he’s doing moving ahead. Listen on as he states, “It was the BEST we’ve had!” Spotlights 39:11 Justin’s spotlight this week is a TechRepublic article called, “Linux Foundation study throws the open source sustainability debate into question,” by Matt Asay. 39:38 Eric’s spotlight is a controversial one called Web3 Sustain Event-Blockchain. 40:47 Richard’s pick is Jekyll, to build websites really easily and fast using Ruby. 41:15 Georg gives a shout out to the LibreOffice community. Links Georg Link, PhD (https://georg.link/) Georg Link (http://www.georglink.de/) Georg Link Twitter (https://twitter.com/georglink) Georg Link Linkedin (https://www.linkedin.com/in/georglink) Bitergia (https://bitergia.com/) Red Hat (https://www.redhat.com/en) OSPO (https://www.redhat.com/en/blog/what-does-open-source-program-office-do) CHAOSS Participate (https://chaoss.community/participate/) CHAOSS Metrics (https://chaoss.community/metrics/) Finos Foundation (https://finosfoundation.atlassian.net/wiki/spaces/FINOS/overview) Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org/index.html) Drupal (https://www.drupal.org/) Cauldron (https://cauldron.io/) Tech Republic article by Matt Asay (https://www.techrepublic.com/article/new-study-throws-the-open-source-sustainability-debate-into-question/) Sustain Web3 event-Blockchain (https://web3.sustainoss.org/) Jekyll (https://jekyllrb.com/) LibreOffice (https://www.libreoffice.org/) Special Guest: Georg Link.
Almost every week, a new vulnerability is discovered in a popular WordPress plugin or theme, leaving developers scrambling to fix it before it’s widely exploited. Surprisingly, almost all critical vulnerabilities boil down to a few common mistakes. In this talk from WordCamp Phoenix, Ramuel Gall reviews these common errors and provides advice on creating secure plugins. Check out the video on YouTube to see slides with example code. There were some audio glitches during the presentation, but the content is good enough we had to share this with you. Transcript available in the show notes.
PHP Internals News: Episode 25: Security Management London, UK Thursday, August 29th 2019, 09:25 BST This episode of "PHP Internals News" is the second and last part of a longer conversation that I had with Stanislav Malyshev (GitHub, LinkedIn) about security related aspects of PHP development. In this episode, we discuss how the PHP projects deals with security issues. The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news Show Notes Mitre Common Vulnerabilities and Exposure (CVE): https://cve.mitre.org/ PHP's security pages. Credits Music: Chipper Doodle v2 — Kevin MacLeod (incompetech.com) — Creative Commons: By Attribution 3.0
The Common Vulnerabilities and Exposures (CVE) system is a critical tool for the cybersecurity industry. CVEs provide consistency in naming and clarity on the nature and impact of various vulnerabilities. In this week's Linux Security Podcast, Atomicorp CEO Mike Shinn discusses the origin and management of the CVE process, how it's used by cybersecurity professionals and why it's so important. He also discusses how vulnerability management systems are perpetually hobbled by the limitations of the CVE system.
Simon & Jeff get together to review a raft of updates large and small! Shownotes: Amazon Virtual Private Cloud (VPC) now Allows Customers to Tag Their Elastic IP Addresses | https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-virtual-private-cloud-vpc-now-allows-customers-to-tag-their-elastic-ip-addresses/ Amazon WorkSpaces Now Supports Configurable Storage and Switching Between Hardware Bundles | https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-workspaces-now-supports-configurable-storage-and-switching-between-hardware-bundles/ Now available in Amazon SageMaker: DeepAR algorithm for more accurate time series forecasting - AWS Machine Learning Blog | https://aws.amazon.com/blogs/machine-learning/now-available-in-amazon-sagemaker-deepar-algorithm-for-more-accurate-time-series-forecasting/ Amazon SageMaker BlazingText: Parallelizing Word2Vec on Multiple CPUs or GPUs - AWS Machine Learning Blog | https://aws.amazon.com/blogs/machine-learning/amazon-sagemaker-blazingtext-parallelizing-word2vec-on-multiple-cpus-or-gpus/ Amazon Inspector no Longer Requires a Compatible Kernel for Rules Packages like Common Vulnerabilities and Exposures (CVE) | https://aws.amazon.com/about-aws/whats-new/2018/01/amazon-inspector-no-longer-requires-a-compatible-kernel-for-rules-packages-like-common- vulnerabilities-and-exposures-cve/ Amazon Aurora with MySQL Compatibility Speeds Query Processing with Hash Join and Batched Scans | https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-aurora-with-mysql-compatibility-speeds-query-processing-with-hash-join-and-batched-scans/ Amazon Aurora with MySQL Compatibility Natively Supports Synchronous Invocation of AWS Lambda Functions | https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-aurora-with-mysql-compatibility-natively-supports-synchronous-invocation-of-aws-lambda-functions/ Announcing Preview of Amazon Aurora with MySQL 5.7 Compatibility | https://aws.amazon.com/about-aws/whats-new/2017/12/announcing-preview-of-amazon-aurora-with-mysql-5-7-compatibility/ AWS Developer Forums: Amazon S3 Inventory adds a time stamp | https://forums.aws.amazon.com/ann.jspa?annID=5368 AWS Lambda .NET Core 2.0 Support Released - AWS Developer Blog | https://aws.amazon.com/blogs/developer/aws-lambda-net-core-2-0-support-released/ Announcing Go Support for AWS Lambda - AWS Compute Blog | https://aws.amazon.com/blogs/compute/announcing-go-support-for-aws-lambda/ Amazon Kinesis Data Firehose is now Available in Three More Regions | https://aws.amazon.com/about-aws/whats-new/2018/01/amazon-kinesis-data-firehose-is-now-available-in-three-more-regions/ CloudWatch Introduces Tiered Pricing With up to 90% Discount for VPC Flow Logs and Other Vended Logs | https://aws.amazon.com/about-aws/whats-new/2018/01/cloudwatch-introduces-tiered-pricing-with-up-to-90-percent-discount-for-vpc-flow-logs-and-other-vended-logs/ Amazon EC2 Elastic GPUs Now Support OpenGL 4.3 | https://aws.amazon.com/about-aws/whats-new/2018/01/amazon-ec2-elastic-gpus-now-support-opengl-4-3/ New AWS Auto Scaling – Unified Scaling For Your Cloud Applications - AWS News Blog | https://aws.amazon.com/blogs/aws/aws-auto-scaling-unified-scaling-for-your-cloud-applications/
In this episode we chat with Steve Christey Coley currently the Principal Information Security Engineer over at MITRE Corp. In this episode we talk through our industry's obsession with vulnerabilities, dive headlong into the thorny issue of security research, talk through the various issues with disclosure and even delve into some ethics issues. This episode is content-packed with some content that you will likely want to talk to us about. So here's how to find us: Steve on Twitter: @SushiDude Hashtag for the show: #DtSR Steve's Bio (from LinkedIn - https://www.linkedin.com/in/steve-christey-coley-66aa1826): Editor / Technical Lead for the Common Vulnerabilities and Exposures (CVE) project; Technical Lead for the Common Weakness Enumeration (CWE); co-author of the "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002; participant in Common Vulnerability Scoring System (CVSS) and NIST's Static Analysis Tool Exposition (SATE). My primary interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Specialties: Vulnerability research, vulnerability management, software security.
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.