POPULARITY
7 episodes with sqli
3 episodes with sqli
2 episodes with sqli
![Day[0] - Zero Days for Day Zero](https://ivyfm.s3.amazonaws.com/i320/820071.jpg)
3 episodes with sqli
2 episodes with sqli
2 episodes with sqli
CISA spins up an election operations war room. Microsoft neglected to restrict access to gender-detecting AI. Yahoo uncovers vulnerabilities in OpenText's NetIQ iManager. QNAP issues urgent patches for its NAS devices. Sysdig uncovers Emerald Whale. A malvertising campaign exploits Meta's ad platform to spread the SYS01 infostealer. Senator Ron Wyden wants to tighten rules aimed at preventing U.S. technologies from reaching repressive regimes. Researchers use AI to uncover an IoT zero-day. Sophos reveals a five year battle with firewall hackers. Our guest is Frederico Hakamine, Technology Evangelist from Axonius, talking about how threats both overlap and differ across individuals and critical infrastructure. Be afraid of spooky data. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Frederico Hakamine, Technology Evangelist from Axonius, talking about how threats both overlap and differ across individuals and critical infrastructure. Selected Reading CISA Opens Election War Room to Combat Escalating Threats (GovInfo Security) Agencies face ‘inflection point' ahead of looming zero-trust deadline, CISA official says (CyberScoop) Microsoft Provided Gender Detection AI on Accident (404 Media) Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution (SecurityWeek) QNAP patches critical SQLi flaw (Beyond Machines) EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files (Sysdig) Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer (Hackread) Exclusive: Senator calls on Commerce to tighten proposed rules on exporting surveillance, hacking tech to problematic nations (CyberScoop) GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI (GreyNoise) Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices (WIRED) Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats (Sophos News) Spooky Data at a Distance (LinkedIn) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
PEBCAK Podcast: Information Security News by Some All Around Good People
Welcome to this week's episode of the PEBCAK Podcast! We've got four amazing stories this week so sit back, relax, and keep being awesome! Be sure to stick around for our Dad Joke of the Week. (DJOW) Follow us on Instagram @pebcakpodcast TSA bypassed by SQL injection attack https://www.bleepingcomputer.com/news/security/researchers-find-sql-injection-to-bypass-airport-tsa-security-checks/ https://xkcd.com/327/ https://arstechnica.com/information-technology/2023/10/sob-story-about-dead-grandma-tricks-microsoft-ai-into-solving-captcha/ Russian APT29 uses commercial spyware exploits https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-use-ios-chrome-exploits-created-by-spyware-vendors/ https://www.darkreading.com/threat-intelligence/commercial-spyware-vendors-have-a-copycat-in-top-russian-apt People too good at spotting phishing https://krebsonsecurity.com/2024/08/when-get-out-the-vote-efforts-look-like-phishing/ https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/ Career Goals https://guykawasaki.com/guy-kawasaki/ Dad Joke of the Week (DJOW) Please share this podcast with someone you know! It helps us grow the podcast and we really appreciate it! Find the hosts on LinkedIn: Chris - https://www.linkedin.com/in/chlouie/ Brian - https://www.linkedin.com/in/briandeitch-sase/ Glenn - https://www.linkedin.com/in/glennmedina/ Jason - https://www.linkedin.com/in/jason-seemann-12b7075/
Becoming Attention, Weighting on OpenAI, Ozempic and Aging?, and more... ➡ Check out Vanta and get $1000 off:vanta.com/unsupervised Subscribe to the newsletter at: https://danielmiessler.com/subscribe Join the UL community at:https://danielmiessler.com/upgrade Follow on X:https://twitter.com/danielmiessler Follow on LinkedIn:https://www.linkedin.com/in/danielmiessler See you in the next one!Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.
SQL injection, often known as SQLi, is the most common and frequently used web-based attack, where hackers inject malicious SQL statements into the application's database to modify an SQL-based database and access potentially valuable information.
SQL Injection has been a problem for my entire career. Thirty years ago I could have easily just blamed this on ignorance, as most of our developers didn't think about the nefarious ways that hackers enter data in our applications. These days, there isn't a good reason for this to keep happening, and the problem is us. I think that we don't provide good examples or training on secure coding or secure architecture as a normal part of teaching programming. In many organizations, we don't check for issues and prevent their release. Some do, but many don't. On top of this, the existing code is usually a poor template for writing future code. I do think Microsoft aims for secure coding in SQL Server but in Windows, there is work to be done there. A few months ago, I saw an article that noted the US CISA organization and the FBI issued a secure-by-design alert (PDF) that noted there is no excuse for SQL Injection vulnerabilities (SQLi) in modern software. This alert notes that SQLi has been an "unforgivable vulnerability" since at least 2007. Inside the document on vulnerabilities, it notes that a single quote can't be used in certain fields: username, password, ID field, or numeric field. They also note that co-mingling user data and query data, like constructing queries on demand, is a poor practice. Read the rest of SQL Injection Is Not Acceptable
Change Healthcare - AHA asks for aid, HHS questions HIPAA compliance Fortinet warns of severe SQLi vulnerability in FortiClientEMS software Yacht company MarineMax announces cyberattack Thanks to today's episode sponsor, Vanta From dozens of spreadsheets and screenshots to fragmented tools and manual security reviews, managing the requirements for modern compliance and security programs is increasingly challenging. Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization. Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk. To learn more, go to vanta.com/ciso and watch their 3-minute product demo. For the stories behind the headlines, head to CISOseries.com.
In today's podcast we cover four crucial cyber and technology topics, including: 1. Courts, FTC uphold enforcement action against data broker 2. Pennsylvania courts facing outages amidst DDoS attacks 3. Individual faces 25 years in prison for supporting money laundering 4. Researchers find “resumelooter” who have stolen data from 65 sites I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a "Rug Pull" ?? "Avast, ye Matey" China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible Fingerprinting. Show Notes: https://www.grc.com/sn/SN-930-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT bitwarden.com/twit GO.ACILEARNING.COM/TWIT
Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a "Rug Pull" ?? "Avast, ye Matey" China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible Fingerprinting. Show Notes: https://www.grc.com/sn/SN-930-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT bitwarden.com/twit GO.ACILEARNING.COM/TWIT
Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a "Rug Pull" ?? "Avast, ye Matey" China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible Fingerprinting. Show Notes: https://www.grc.com/sn/SN-930-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT bitwarden.com/twit GO.ACILEARNING.COM/TWIT
Picture of the Week. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software. And as for MOVEit... What's a "Rug Pull" ?? "Avast, ye Matey" China's OpenKylin v1. TootRoot! Firefox 115. Did Russia Disconnect? Use some honey if you want to catch some flies. Cryptocurrency losses. International Consumer Data Transit. Apple's emergency update retraction. Syncthing Revisited. Closing the Loop. SpinRite's first RTM release. RTOS-32. Rowhammer Indelible Fingerprinting. Show Notes: https://www.grc.com/sn/SN-930-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT bitwarden.com/twit GO.ACILEARNING.COM/TWIT
In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn't everyone doing it? Purple teaming doesn't have to be such a heavy lift. With the right mindset and tools, any team can get started regardless of resources. This talk will highlight practical tips for getting started with purple teaming exercises and show off PlexTrac Runbooks, a platform designed to plan, execute, report, and remediate collaborative purple teaming engagements so teams can maximize their efforts and improve their security posture. Segment Resources: Learn more and book a demo: https://plextrac.com/securityweekly More information on Runbooks: https://plextrac.com/platform/runbooks/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinks he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw771
In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinks he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw771
In a recent survey on purple teaming, 89 percent of respondents who had used the method deemed purple teaming activities “very important” to their security operations. Purple teaming exercises conducted regularly have the power to improve collaboration across teams, ensure issues are identified and remediated more proactively, and provide a means to measure progress over time. With all these benefits, why isn't everyone doing it? Purple teaming doesn't have to be such a heavy lift. With the right mindset and tools, any team can get started regardless of resources. This talk will highlight practical tips for getting started with purple teaming exercises and show off PlexTrac Runbooks, a platform designed to plan, execute, report, and remediate collaborative purple teaming engagements so teams can maximize their efforts and improve their security posture. Segment Resources: Learn more and book a demo: https://plextrac.com/securityweekly More information on Runbooks: https://plextrac.com/platform/runbooks/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinks he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw771
In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinkgs he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw771
Some RCE chains starting with DNS rebinding, always fun to see, a fairly basic SQL injection, and a JS sandbox escape for RCE in Spotify. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/171.html [00:00:00] Introduction [00:00:38] RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924] [00:17:55] SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300] [00:22:34] Unauthenticated Remote Code Execution in Spotify's Backstage [00:36:28] Till REcollapse [00:41:19] Chat Question: Alternatives to IDA Freeware The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
2022-09-20 Weekly News - Episode 164Watch the video version on YouTube at https://youtu.be/qIpbpe852XQ Hosts:Gavin Pickin - Senior Developer at Ortus SolutionsThanks to our Sponsor - Ortus Solutions The makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there. A few ways to say thanks back to Ortus Solutions: BUY A WORKSHOP TICKET for After CF Summit - Learn ColdBox APIs, VueJS and Quasar for exporting to mobile, desktop and the web!!! Like and subscribe to our videos on YouTube. Help ORTUS reach for the Stars - Star and Fork our Repos Star all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week BOXLife store: https://www.ortussolutions.com/about-us/shop Buy Ortus's Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips) Patreon Support (IMPECCABLE)Goal 1 - We have 40 patreons providing 100% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions Goal 2 - We are 33% of the way to fully fund the hosting of ForgeBox.io News and AnnouncementsITB Session Survey Raffle Ali Awan - Amazon Gift Card - $25 Shawn Oden - Modern CFML Book Ryan Hinto - Modern CFML Book 2 more weeks for more survey results - giving away more Modern CFML Books, and a Shirt from the Box Life Store!Ortus hiring another USA DeveloperAlthough we're always looking, we're actively looking to hire that USA developer now. So check the criteria on the Careers page, and email us info@ortussolutions.com today to start the process.https://www.ortussolutions.com/about-us/careers CF Summit AMA SessionAsk Dave Ferguson and Matt Gifford anything, literally!Post your questions here: https://docs.google.com/forms/d/e/1FAIpQLScRgS7UKySpVyf8Q5SAd6_gM3xKgh-D14_TjnZnkpyzo2qYeg/viewform?usp=send_form and select questions will be answered live on stage by the experts. Only at the Adobe ColdFusion Summit 2022.Register now: https://cfsummit.adobeevents.com/ State of the CF Union Survey - Results - Part 1 - PodcastGavin Pickin talks about “State of CF Union Survey 2022 Results In-Depth Analysis Part 1 (14 cool ColdFusion, Database and Frameworks insights)” in this episode of ColdFusion Alive Podcast with host Michaela Light.“…so far right now, you know, we see 60% of people are using a supported ColdFusion licensed product…”https://teratech.com/podcast/state-of-cf-union-survey-2022-results-in-depth-analysis-part-1-14-cool-coldfusion-database-and-frameworks-insights-with-gavin-pickin Hacktoberfest 2023Registrations begin Sept 26th 2023.https://hacktoberfest.com/ New Releases and UpdatesLucee now has Mail ListenersMail Listeners can be configured to be triggered before and after sending email (only for email sending as async).These follow the same pattern as Query Listeners.This is available as an experimental feature in Lucee 5.3 and is officially supported in Lucee 6.0.https://docs.lucee.org/guides/cookbooks/mail_listeners.html Webinar / Meetups and WorkshopsICYMI - Ortus Webinar - September - Into the Box - RecapFriday, September 16th, 2022: Time 12:30AM Central Time ( US and Canada )Join members of the Ortus team as they discuss Into the Box 2022, with a recap on all the new releases, product updates, happy box, the hallway track, the food, and what's coming for Into the Box 2023 in less than 9 months time!What live on Youtube: https://youtu.be/l4S-UEF8XIw Adobe Workshops & WebinarsJoin the Adobe ColdFusion Workshop to learn how you and your agency can leverage ColdFusion to create amazing web content. This one-day training will cover all facets of Adobe ColdFusion that developers need to build applications that can run across multiple cloud providers or on-premiseWORKSHOP - WEDNESDAY, SEPTEMBER 21, 20229:00 AM CESTAdobe ColdFusion WorkshopDamien Bruyndonckxhttps://adobe-coldfusion-workshop-1day.meetus.adobeevents.com/ WEBINAR - THURSDAY, SEPTEMBER 22, 202210:00 AM PDTBuilding Custom Adobe Connect Pods with CF2021Mark Takatahttps://building-custom-adobe-connect-pods-cf2021.meetus.adobeevents.com/ WEBINAR - WEDNESDAY, NOVEMBER 23, 202210:00 AM PSTBuilding Native Mobile Applications with Adobe ColdFusion & Monaco.ioMark Takatahttps://building-native-mobile-apps-with-cf-monaco-io.meetus.adobeevents.com/ WEBINAR - THURSDAY, DECEMBER 22, 202210:00 AM PSTWinter Holiday Special: A preview of ColdFusion 2023Mark Takatahttps://winter-special-preview-of-cf2023.meetus.adobeevents.com/ FREE :)Full list - https://meetus.adobeevents.com/coldfusion/ CFCasts Content Updateshttps://www.cfcasts.comJust Released Every video from ITB - For ITB Ticket Holders Only - Will be released for Subscribed in December 2022 ForgeBox Module of the Week Series - 1 new Video - https://cfcasts.com/series/2022-forgebox-modules-of-the-week 2022 VS Code Hint tip and Trick of the Week Series - 1 new Video - https://cfcasts.com/series/2022-vs-code-hint-tip-and-trick-of-the-week Coming Soon - Now that ITB is over we can get back to our Video Series More ForgeBox and VS Code Podcast snippet videos Box-ifying a 3rd Party Library from Gavin ColdBox Elixir from Eric Getting Started with ContentBox from Daniel ITB Videos will be released Dec for those who are not ITB Ticket Holders Conferences and TrainingCF Summit - OfficialAt the Mirage in Las Vegas, NVOct 3rd & 4th - CFSummit ConferenceOct 5th - Adobe Certified Professional: Adobe ColdFusion Certification Classes & Testshttps://cfsummit.adobeevents.com/ https://www.adobe.com/products/coldfusion-family/certificate.html Registrations are now open.Schedule has been announced!!!!Ortus CF Summit Training WorkshopColdBox Zero to MegaHero : REST APIs + VueJS Mobile AppOct 5th and 6th - After CF Summit ConferenceLead by Luis Majano & Gavin PickinPrice: $799 - Early bird pricinghttps://www.eventbrite.com/e/ortus-cf-summit-training-workshop-tickets-375306340367Location: Aria - In the luxurious Executive Hospitality Suite like 2019Free T-ShirtFree Modern CFML BookFree ColdBox Zero to Hero Workshop on CFCasts to help you prepareWe'll even refund you $50 if you bought your ticket and need to change it to stay for the workshop!!!!AWSome Day Online ConferenceTHURSDAY, OCTOBER 20, 20229AM – 12PM PT | 12PM – 3PM ETWe're bringing the cloud down to EarthJoin us for a free virtual 3-hour AWS Cloud training event delivered by our skilled in-house instructors.https://aws.amazon.com/events/awsome-day/americas/ Into the Box Latam 2022Dec 5th or 7thMore information is coming very soon.Dev NexusApril 4-6th in AltantaSuper Early Bird will be on sale until October 9, 2022 (Approx 50% off)If you are planning to speak, please submit often and early. The CALL FOR PAPERS is open until November 15WORKSHOPS WILL BE ON JAVA, JAVA SECURITY, SOFTWARE DESIGN, AGILE, DEVOPS, KUBERNETES, MICROSERVICES, SPRING ETC. SIGN UP NOW, AND YOU WILL BE ABLE TO CHOOSE A WORKSHOP, LATER ON,https://devnexus.com/ Into the Box 2023 - 10th EditionMiddle of May - start planning.Final dates will be released as soon as the hotel confirms availability.CFCampNo CFCAMP 2022, we're trying again for summer 2023TLDR is that it's just too hard and there's too much uncertainty right now.More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets, and Videos of the Week9/20/22 - Blog - Grant Copley - Ortus Solutions - Prefetching in CBWIREWhen I want to increase the perceived speed of my CBWIRE apps, one tool I reach for is prefetching. Prefetching is a built-in feature of Livewire JS that allows you to invoke an Action's results on mouseOver.https://www.ortussolutions.com/blog/prefetching-in-cbwire 9/20/22 - Blog - Michael Born - Ortus Solutions - How to Get the Version of Any Java Package from CFMLThe Apache POI library is an awesome tool for messing with spreadsheets. You can read spreadsheet data, get header rows, total row count, all sorts of wacky stuff. Julian Halliwell's excellent spreadsheet-cfml library uses it to great effect.https://michaelborn.me/entry/how-to-get-the-version-of-any-java-package-from-cfml 9/17/22 - Blog - Ben Nadel - Adding An Angular 14 Front-End To My ColdFusion Feature Flag ExplorationAbout a month ago, I posted Strangler: Building a Feature Flag System in ColdFusion. That proof-of-concept was constructed in Lucee CFML using a standard post-back workflow wherein each navigation begot a full page refresh. Over the last few weeks, I've been dribbling some effort into creating a thick-client experience using Angular 14. The UI (User Interface) still leaves a lot to be desired; but, I think as a second-stage proof-of-concept, there's enough here to be demoed.https://www.bennadel.com/blog/4323-adding-an-angular-14-front-end-to-my-coldfusion-feature-flag-exploration.htm 9/16/22 - Blog - James Moberg - areBracesValid UDF for ColdFusion/CFMLI was using a version of smartSearch from CFLib.org that I had updated with some simple regex detection for SQLi strings, but it wasn't catching everything. I considered disabling the bracket matching feature and rejecting any query search terms that attempted to use ( or ), but then considered that I should validate so that the feature could still be used since it is beneficial when not being exploited.https://dev.to/gamesover/arebracesvalid-udf-for-coldfusioncfml-21fg 9/16/22 - Gavin Pickin - Ortus Solutions - Into the Box 2022 - Conference RecapThis years Into the Box has just wrapped up, but we are already preparing for 2023's Into the Box, May, Houston Texas! The event was a huge success, we had solid attendance in person, and almost doubled our online viewership from 2021, great feedback from attendees in Houston, and online. So many attendees didn't say goodbye at the end of the conference, they said see you next year, which, as an organizer lets you know you've done things right, and the hard work has paid off.https://www.ortussolutions.com/blog/into-the-box-2022-conference-recap 9/15/22 - David Tattersall - Fusion Reactor - Announcing FusionReactor 9.0We are very proud to announce the release of FusionReactor 9.0, which represents a major milestone for FusionReactor and has been almost 2 years in the making.FusionReactor has always been about helping engineers, support, and DevOps to get to the root of application problems as quickly as possible. As software engineers, the founders of the company wanted to develop a product that would be familiar to us, and which would enable us to resolve performance and stability problems quickly. Up till now, we have focused the product on serving the ColdFusion and Java applications market. Our commitment to these platforms will not change.https://www.fusion-reactor.com/blog/announcing-fusionreactor-9-0/ 9/13/22 - Michael - REVIEW: DEVOPS TOOLS FOR JAVA DEVELOPERSBoth JFrog and O'Reilly sent me a paper copy of DevOps Tools for Java Developers for review (or my reading pleasure, or hopefully both). The copies came with no strings attached and this article is my honest opinion.The book is written by Ixchel Ruiz, Melissa McKay, Stephen Chin and Baruch Sadogursky. 3 of them I met personally and all of them come very much from the developer side of things and are known people in the Java world. All of them work at JFrog these days.https://info.michael-simons.eu/2022/09/13/review-devops-tools-for-java-developers/ CFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 132 ColdFusion positions from 73 companies across 62 locations in 5 Countries.6 new jobs listed this weekFull-Time - Lucee/ Coldfusion Developer – Freelance – Belgium at England.. - United Kingdom Sep 20https://www.getcfmljobs.com/jobs/index.cfm/united-kingdom/Lucee-Coldfusion-Developer-Freelance-Belgium-at-England/11519 Full-Time - Software Developer (m/w/d) at Hannover oder remot (Germany).. - Other Countries Sep 19https://www.getcfmljobs.com/viewjob.cfm?jobid=11518Full-Time - Sr Software Engineer/ColdFusion Developer at Reston, VA - United States Sep 16https://www.getcfmljobs.com/jobs/index.cfm/united-states/Sr-Software-EngineerColdFusion-Developer-at-Reston-VA/11517Full-Time - Sr Software Engineer/ColdFusion Developer at Remote - United States Sep 16https://www.getcfmljobs.com/jobs/index.cfm/united-states/Sr-Software-EngineerColdFusion-Developer-at-Remote/11516 Full-Time - Enterprise Sales Account Manager, ColdFusion (EMEA Shift) at.. - India Sep 14https://www.getcfmljobs.com/jobs/index.cfm/india/Enterprise-Sales-Account-Manager-ColdFusion-EMEA-Shift-at-Noida-Uttar-Pradesh/11515 Full-Time - Software Engineer 3- ColdFusion at Remote - United States Sep 14https://www.getcfmljobs.com/jobs/index.cfm/united-states/Software-Engineer-3-ColdFusion-at-Remote/11514 Other Job Links Ortus Solutions - https://www.ortussolutions.com/about-us/careers Oak Ridge National Laboratory, TN: https://jobs.ornl.gov/job/Oak-Ridge-Systems-Engineer-and-Software-Developer-TN-37830/923356000/?fbclid=IwAR3te_Ttc_n69FYUFBVBYM9IJ2K8xMSspL_pL303Qv-vdqYmgVcqEtZPQX0 There is a jobs channel in the CFML slack team, and in the box team slack now too ForgeBox Module of the WeekcbPlaywrightCFML integration with TestBox and Playwright to run tests in actual browsershttps://forgebox.io/view/cbPlaywrightVS Code Hint Tips and Tricks of the WeekVSCode Great IconsA big pack of icons (200+) for your files.Quote from Blog: Slightly less popular than the most common icon extension, vscode-icons. I think the icons here look so much better than the default, and the folder icons make it easier to tell which directory I'm in.https://marketplace.visualstudio.com/items?itemName=emmanuelbeziat.vscode-great-iconsThank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox, ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here: https://www.patreon.com/ortussolutionsDon't forget, we have Annual Memberships, pay for the year and save 10% - great for businesses. Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website All Patreon supporters have their own Private Channel access BoxTeam Slack Live Stream Access to streams like “Koding with the Kiwi + Friends” https://community.ortussolutions.com/ NEW PATREON EXCLUSIVES - GAVIN CRAZY IDEASVoting in the BoxTeam SlackPatreons John Wilson - Synaptrix Jordan Clark Gary Knight Mario Rodrigues Giancarlo Gomez David Belanger Dan Card Jonathan Perret Jeffry McGee - Sunstar Media Dean Maunder Nolan Erck Abdul Raheen Wil De Bruin Joseph Lamoree Don Bellamy Jan Jannek Laksma Tirtohadi Brian Ghidinelli - Hagerty MotorsportReg Carl Von Stetten Jeremy Adams Didier Lesnicki Matthew Clemente Daniel Garcia Scott Steinbeck - Agri Tracking Systems Ben Nadel Richard Herbet Brett DeLine Kai Koenig Charlie Arehart Jason Daiger Shawn Oden Matthew Darby Ross Phillips Edgardo Cabezas Patrick Flynn Stephany Monge Kevin Wright John Whish Peter Amiri Cavan Vannice You can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors Thanks everyone!!! ★ Support this podcast on Patreon ★
Mai menü:Felmérés szerint az átlag amerikai naponta 6,5 alkalommal lép be gyanús oldalakraKínai hacker keresőKínai UEFI rootkitet találtak Gigabyte és Asus alaplapokon | SecurityWeek.ComHamisított git metaadatokAnti-vax társkereső webhely kitett adatok 3,500 felhasználók keresztül "hibakeresési mód" hiba - A VergeNoMoreRansom születésnapFBI lefoglal $500,000 Ransomware kifizetések és Crypto az észak-koreai hackerektőlAz XSS-sel történő hackelés tisztázásaKezdje el tanulni a biztonságot az SQLi segítségévelElérhetőségeink:TelegramTwitterInstagramFacebookMail: info@hackeslangos.show
SecAura is an amateur YouTuber whose post I came across caught my attention. SecAura creates free educational videos for ethical hacking and does so while going the extra mile to hand-craft many of the animations used in the videos. All of this is done outside of the 9-5 job SecAura has as a penetration tester. Realizing that the technical subjects needed diagrams and that these elements were a core part of the videos being created, SecAura decided to hand-craft the animations for each of the subjects being prepared, teaching himself all that was required to do so while constantly trying to improve with each video released.SecAura aims to have every video released be at the top of its game in terms of teaching someone who knows very little about a subject and getting them to a great foundational and applicable position just from watching his videos. He also hopes to extend the community and help to create the next generation of cybersecurity professionals by providing them with real, practical skills, backed by the theory!About SecAura [from Twitter]By day I work as a pentester, and in the evening, I compete in CTFs/cyber things. I have always loved teaching, and wanted to give back to the cyber community the best I can, so I made my YouTube Channel.It was a treat speaking with SecAura, learning about the creativity, passion, and production that goes into the making each of these videos, and how they can be used by those looking to enter the field of information security, preparing for a job interview, looking to grow their skills as they aspire to take on new roles or perhaps even get promoted at their job.So many uses cases — lots of great content — all from a super cool human.____________________________GuestSecAuraEthical Hacking Content CreatorOn Twitter | https://twitter.com/secaura_On LinkedIn | https://www.linkedin.com/in/sec-aura-57736422a/On YouTube | https://www.youtube.com/channel/UCx89Lz24SEPZpExl6OfQ0Gg____________________________This Episode's SponsorsImperva: https://itspm.ag/imperva277117988Asgardeo by WSO2: https://itspm.ag/asgardeo-by-wso2-u8vc____________________________ResourcesMore information about SecAura: https://twitter.com/secaura_/status/1518241710412808192The new SQLi video discussed during the conversation: UNLEASH THE POWER OF SQL INJECTION | A beginners guide: https://www.youtube.com/watch?v=_Y4MpvB6o7sVIDEO: Web Fundamentals for Cyber Security | HTTP for Hackers | 0x01 (Animated): https://www.youtube.com/watch?v=ro-5AjgoPc4____________________________To see and hear more Redefining Security content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in sponsoring an ITSPmagazine Channel?
SecAura is an amateur YouTuber whose post I came across caught my attention. SecAura creates free educational videos for ethical hacking and does so while going the extra mile to hand-craft many of the animations used in the videos. All of this is done outside of the 9-5 job SecAura has as a penetration tester. Realizing that the technical subjects needed diagrams and that these elements were a core part of the videos being created, SecAura decided to hand-craft the animations for each of the subjects being prepared, teaching himself all that was required to do so while constantly trying to improve with each video released.SecAura aims to have every video released be at the top of its game in terms of teaching someone who knows very little about a subject and getting them to a great foundational and applicable position just from watching his videos. He also hopes to extend the community and help to create the next generation of cybersecurity professionals by providing them with real, practical skills, backed by the theory!About SecAura [from Twitter]By day I work as a pentester, and in the evening, I compete in CTFs/cyber things. I have always loved teaching, and wanted to give back to the cyber community the best I can, so I made my YouTube Channel.It was a treat speaking with SecAura, learning about the creativity, passion, and production that goes into the making each of these videos, and how they can be used by those looking to enter the field of information security, preparing for a job interview, looking to grow their skills as they aspire to take on new roles or perhaps even get promoted at their job.So many uses cases — lots of great content — all from a super cool human.____________________________GuestSecAuraEthical Hacking Content CreatorOn Twitter | https://twitter.com/secaura_On LinkedIn | https://www.linkedin.com/in/sec-aura-57736422a/On YouTube | https://www.youtube.com/channel/UCx89Lz24SEPZpExl6OfQ0Gg____________________________This Episode's SponsorsAsgardeo by WSO2: https://itspm.ag/asgardeo-by-wso2-u8vcImperva: https://itspm.ag/imperva277117988____________________________ResourcesMore information about SecAura: https://twitter.com/secaura_/status/1518241710412808192The new SQLi video discussed during the conversation: UNLEASH THE POWER OF SQL INJECTION | A beginners guide: https://www.youtube.com/watch?v=_Y4MpvB6o7sVIDEO: Web Fundamentals for Cyber Security | HTTP for Hackers | 0x01 (Animated): https://www.youtube.com/watch?v=ro-5AjgoPc4____________________________To see and hear more Redefining Security content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in sponsoring an ITSPmagazine Channel?
In this episode, Erik and Kris share a repository of over 400 open education tools. Our co-hosts also discuss recent tech and education news including "the next Google", the pros and cons of using technology to improve education, SQLi vulnerabilities in higher ed institutions, new online learning entrepreneurs, and smartphones vs science. The app of the month is iA Writer.SHOW NOTES:Tools:*Innovations in Scholarly Communication by the University of Utrecht*List of 400 open education tools*TabulaNews articles*DKB: The Next Google*Entrepreneur: 5 edtech trends that will change learning between now and 2030*Brookings: The promise and perils of new technologies to improve education*VentureBeat: 35% of educational institutions have a SQLi vulnerability*Financial Times: The new online learning entrepreneurs*Cal Newport blog post: Smartphones vs. ScienceLearning opportunities*University of British Columbia: Program for Open Scholarship and EducationApp of the month:*iA WriterCONTACT:Website: edtechexamined.comEmail: hey@edtechexamined.comTwitter: @EdTechExaminedTEAM INFORMATION:Erik Christiansen, Co-Founder & Co-HostWebsite: erikchristiansen.netTwitter: @egchristiansenBlog: tech-bytes.netKris Hans, Co-Founder & Co-HostWebsite: krishans.caTwitter: @KrisHans Market Grade: marketgrade.comChristopher Hoang, Audio Producer & Sound EngineerWebsite: chrishoang.ca
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/facebook-exploits-pfsense-rce-and-mysqljs-sqli.html A few interesting issues you this week, a JS race condition in some auth related code for Facebook, some fake prepared queries, and a RCE through sed commands (in pfSense) [00:00:56] Remote Code Execution in pfSense (2.5.2 and earlier) [00:06:13] Finding an Authorization Bypass on my Own Website [00:17:43] More secure Facebook Canvas Part 2: More Account Takeovers [00:32:43] The perils of the “real” client IP The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
In today's podcast we cover four crucial cyber and technology topics, including: 1. Scammers use SMS scam via fake android apps to steal money 2. Discourse installs vulnerable to remote code execution 3. BillQuick Web Suite exploited to compromise users 4. Kansas man used mobile phone to tamper with water plant remotely I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/websocket-hijacking-github-review-bypass-and-sqli-to-rce.html Just a handful of traditional vulns this week: IDOR, CSRF, SQLi, a logic vuln and zi's boomer side starts to show. [00:00:18] Remote Chaos Experience [00:03:30] [Concrete CMS] Stored unauth XSS in calendar event via CSRF [00:08:47] ‘Websocket Hijacking' to steal Session_ID of victim users [00:14:17] IDOR + Account Takeover leads to PII leakage [00:27:27] Bypassing required reviews using GitHub Actions [00:33:20] How I Escalated a Time-Based SQL Injection to RCE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.
W tym odcinku pochylimy się nad ORMami. Czy obiecywane założenia, które były obiecywane wraz z ich wprowadzeniem tj. bez kosztowe i bezproblemowe wymienianie bazy danych jest faktem czy to tylko mrzonki i w ogóle można by ich się pozbyć z korzyścią dla projektów. A może jednak klepanie SQLi z palca to zamierzchłe czasy i już do nas nie wrócą? Chrzestni: Konrad Kokosa Piotr Karczmarz Michał Kuliński Książki: Stanisław Lem - Maska - https://ebookpoint.pl/view/112736/maska-stanislaw-lem,e_c345.htm Stanisław Lem - Eden - https://ebookpoint.pl/view/112736/eden-stanislaw-lem,e_c33y.htm Dennis E. Taylor - Nasze imię Legion, Nasze imię Bob - https://ebookpoint.pl/view/112736/nasze-imie-legion-nasze-imie-bob-dennis-e-taylor,e_1guz.htm Wy wszyscy moi ja - Miłosz Brzeziński - https://ebookpoint.pl/view/112736/wy-wszyscy-moi-ja-milosz-brzezinski,e_0zs9.htm Mario Puzo - Ojciec Chrzestny - https://ebookpoint.pl/view/112736/ojciec-chrzestny-mario-puzo,e_22xp.htm Linki: Kabaret Moralnego Niepokoju - Ten tego - https://www.youtube.com/watch?v=fr0EFkYIql4 LINQ to SQL - MiniProfiler - https://miniprofiler.com/ EntityFramework - https://docs.microsoft.com/pl-pl/ef/ ADO.NET - https://docs.microsoft.com/pl-pl/dotnet/framework/data/adonet/ DataTable, DataSet - https://docs.microsoft.com/en-us/dotnet/api/system.data.datatable?view=net-5.0 Rust, *.toml - https://doc.rust-lang.org/cargo/reference/manifest.html nHibernate - https://nhibernate.info/ Fluent nHibernate - https://github.com/nhibernate/fluent-nhibernate Dapper - https://dapper-tutorial.net/dapper https://killedbygoogle.com/ https://killedbymicrosoft.nl/ https://www.llblgen.com/ DataObjects.net OstraPiła #40 - Odcinek o procedurach składowanych - https://ostrapila.pl/40 Old is New New - https://www.youtube.com/watch?v=AbgsfeGvg3E Preventing the Collapse of Civilization - https://www.youtube.com/watch?v=pW-SOdj4Kkk
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: The latest news on the health system ransomware crisis in Ireland TSA to force pipeline operators to disclose attacks they probably aren’t detecting anyway Colonial paying ransom angers US congresspeople who really haven’t thought this through Iran targets Israeli systems with new wipers Israel targets Hamas systems with guided munitions that go bang Much, much more This week’s sponsor guest is Ryan Kalember, EVP of Cybersecurity Strategy at Proofpoint. He joins us to talk about how compromised o365 accounts are powering all sorts of threat actors right now – from ransomware operators to BEC crews and APT units, everyone loves a popped mailbox. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes U.S. didn’t hack DarkSide group that hacked Colonial Pipeline - The Washington Post Hear ye, DarkSide! This honorable ransomware court is now in session | Ars Technica Colonial Pipeline CEO to face questions from Congress on $4.4 million ransom payment TSA to issue cyber directive for pipeline operators following Colonial ransomware attack Irish officials warn of ongoing disruptions to health system, long recovery following ransomware incident (2) hakan on Twitter: "So, one hour ago CONTI apparently decided to provide HSE with a free decryption tool, as per their statement (see screenshot. https://t.co/lyIuBoN6XP" / Twitter Irish officials analyze decryption tool as long recovery process from ransomware continues FBI: Conti ransomware gang attacked more than 400 orgs, including 911 centers | The Record by Recorded Future Cyber insurance premiums rise as ransomware, hacks continue, GAO finds New Iranian threat actor targets Israel with wipers disguised as ransomware | The Record by Recorded Future Microsoft warns of malware campaign spreading a RAT masquerading as ransomware | The Record by Recorded Future Israel bombed two Hamas cyber targets | The Record by Recorded Future Israel Is a Cyber Superpower But Chooses Bombs to Fight Hackers in Gaza FSB NKTsKI: Foreign 'cyber mercenaries' breached Russian federal agencies | The Record by Recorded Future How Hydra, a Russian dark net market, made more than $1 billion in 2020 Air India says data breach impacts 4.5 million former passengers | The Record by Recorded Future The Full Story of the Stunning RSA Hack Can Finally Be Told | WIRED Nagios IT monitoring vulnerabilities chained to compromise telco customers en masse | The Daily Swig Open source ecosystem ripe for dependency confusion attacks, research finds | The Daily Swig DeepSloth: Researchers find denial-of-service equivalent against machine learning systems | The Daily Swig Chinese governments has warned 222 apps to remove data slurping code | The Record by Recorded Future Just a handful of Android apps exposed the data of more than 100 million users | The Record by Recorded Future Microsoft releases SimuLand, a lab environment to simulate attacker tradecraft | The Record by Recorded Future WordPress security: More than 600,000 sites hit by blind SQLi vulnerability in WP Statistics plugin | The Daily Swig Arm and Qualcomm zero-days quietly patched in this month's Android security updates | The Record by Recorded Future Vulnerability in VMware product has severity rating of 9.8 out of 10 | Ars Technica Apple fixes macOS zero-day abused by XCSSET malware | The Record by Recorded Future So long, Internet Explorer, and your decades of security bugs | TechCrunch Webinar Registration - Zoom
This week Jeff Foley hangs all to talk about asset discovery using amass, recon methodologies, hashcat style brute forcing vs. wordlists, extending functionality via the embedded Lua engine and more. My 3 main takeaways were 1) how to find assets that don't share a domain name using JARM 2) how they made scanning faster by essentially lowering the DNS brute forcing query rate and 3) what the future has in store for the project For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies, NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies, NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies, NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies, NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords This week Charlie Belmer joins the show to chat about NoSQLi, web proxies, cloud security, tips to get started in InfoSec and more. My 3 main takeaways were 1) how SQLi differs from NoSQLi 2) why privacy still matters and 3) How cookieless tracking works and some of the frightening techniques used For more information, including the show notes check out https://breachsense.io/podcast
3月16日の情報セキュリティーニュース MS、「Exchange脆弱性」の影響を緩和する簡易ツールを公開 - 未修正なら活用を 保管期間中の宿泊台帳が所在不明に - オリックス・ホテルマネジメント WP向け会員制サイト構築プラグインにSQLi脆弱性 雑談 情報セキュリティ 10 大脅威(個人)について 4位 メールや SMS 等を使った脅迫・詐欺の手口による金銭要求
Colin Bell, Rob Cuddy and Kris Duer bring you another Application Paranoia episode. This episode has guest Panellist Billy Weber helping to navigate through discussions about a bunch of exciting new AppScan features in the recent 10.0.4 release. There are also discussions about St. Patricks day being cancelled in Ireland, Why SQL Injection is still a thing, zero day vulnrabilities in Accellion's file transfer appliance (FTA), MS Exchange email exploits and that Golf is bad for the planet. So basically something for everyone...
Seth and Ken discuss interviewing techniques for technical resources, SQL injection in the media and Github's recent concurrency vulnerability. Also a discussion on recent WordPress plugin vulnerabilities and why they are always so devastating.
In today's podcast we cover four crucial cyber and technology topics, including: 1. Popular Mob-based game leaks user data 2. Cisco urges user to update to protect from attacks targeting CVE-2020-31183. Google updates Chrome to protect from vulnerability being actively exploited 4. Pfizer leaks customer medical information via unprotected cloud storage I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Nouvelle rencontre aujourd'hui avec Eric Taix, architecte/ Lead développeur chez Nauticspot à Montpellier. De formation électronique avec un DUT GEII (Génie électrique et informatique industrielle), suivi d'un Master ESISAR (Ecole d'ingénieurs en systèmes embarqués -électronique, automatique et informatique- et en réseaux) en 1992, il se lance dans la programmation chez ESII Média en tant que Team Leader/Développeur. Eric, souhaitant arrêter de faire du client lourd et travailler sur des technologies web, décide de quitter l'entreprise dans un premier temps pour cette raison. Il se tourne vers SOAMAI, en tant que développeur Java pendant presque un an, après une petite expérience chez Capgemini. Il retourne ensuite chez ESII Média lorsque l'entreprise décide de prendre le tournant du web, ayant besoin de quelqu'un d'expérimenté pour faire la bascule. Janvier 2012, il devient Senior Developer/Technical Leader chez SQLI pendant 2 ans, avant de rejoindre ITK (domaine de l'agriculture) en tant qu'ingénieur logiciel puis Team Leader pendant presque 5 ans. Septembre 2018, il rejoint l'équipe Teads.tv, toujours en qualité de développeur senior. On parle des débuts du web, de changement d'échelle (scale up) en entreprise, son amour pour l'écosystème Java, son rôle moteur dans la création du Java User Group (JUG) de Montpellier, son regard sur les ESN, sa passion pour Flutter, sa philosophie du métier de développeur, le cap de l'hypercroissance au niveau humain pour les entreprises, le syndrome de l'imposteur, ses allers retours tech/management, l'importance de l'empathie dans ce métier... Découvrez son parcours inspirant, riche en enseignements ! Découvrez notre formation fullstack JS RebootJS sur http://flint.sh/fr/academy !
Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness. To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are: Backdoors and Breaches - my favorite incident response card game. OWASP Juice Shop - my favorite vulnerable Web application. Enjoy! Backdoors and Breaches Backdoors and Breaches I love the way teaches me to think about security controls And their proper placement Backdoors and Breaches I can’t wait to blow my paycheck just to get myself a game deck and then move Out of my mother’s basement Soon I’ll be sittin’ down and playing it with my red and blue teams Or John and gang at Black Hills Info Security And when I go to bed tonight I know what’s gonna fill my dreams Backdoors and Breaches Juice Shop VERSE 1 When you want to shop online then you had better be sure The experience is safe and also secure Don't want to let no SQLi or cross-site scripting ruin your day No, you want to break into a joyous song and say: CHORUS 1 Juice Shop! Juice Shop! You can order tasty beverages in any quantity Juice Shop! Juice Shop! Just don't test the site with Burp Suite or you won't like what you see VERSE 2 Now if you're feeling kinda sneaky and you're inclined to explore You might find inside the Juice Shop...a hidden score board It will point you towards a vuln'rability or maybe two And when you're done you'll say, "This site should get a code review!" CHORUS 2 Juice Shop! Juice Shop! It has got more holes then a warehouse filled with gallons of Swiss cheese Juice Shop! Juice Shop! ...finish the songs at 7ms.us
Didier Fauque, directeur général de SQLI, est l’invité du Talk Décideurs.
Fedora arrives from the future, the big players line up behind KernelCI, and researchers claim significant vulnerabilities in Horde. Plus, Google's new dashboard for WordPress and ProtonMail's apps go open source.
Fedora arrives from the future, the big players line up behind KernelCI, and researchers claim significant vulnerabilities in Horde. Plus, Google's new dashboard for WordPress and ProtonMail's apps go open source.
Fedora arrives from the future, the big players line up behind KernelCI, and researchers claim significant vulnerabilities in Horde. Plus, Google's new dashboard for WordPress and ProtonMail's apps go open source.
Denna gång är Mattias och Erik ensamma i studion och en ny typ av attack står på avsnittets agenda. Cross Site Scripting (XSS). Kanske inte lika vanligt som SQLi men ändå värt att djupdyka i. Avsnittet avhandlar de olika typerna - Persistant och Reflected samt en lista med åtgärder som stoppar en attack, som faktiskt riktar sig i första hand mot slutanvändaren och dess webbläsare och inte systemet, men som måste lösas på servern. I vanlig ordning avviker duon från ämnet så sjökaptener på Tinder och scenskräck avhandlas i avsnittet.
Secure Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Derbycon Discussion (bring Matt in) Python course: https://brakesec.com/brakesecpythonclass PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing GraphQL High Level https://graphql.org/ Designed to replace REST Arch Allow you to make a large request, uses a query language Released by FB in 2012 JSON Learn Enough to be dangerous https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2 WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315 Vulns in the Wild Abusing GraphQL OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Attack Techniques https://www.apollographql.com/docs/apollo-server/data/data/ https://github.com/graphql/graphiql Protecting GraphQL https://github.com/maticzav/graphql-shield Magento 2 (runs GraphQL), hard to update… https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter GraphQL implementations inside (ecosystem packages?) Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA) Patreon supporters (Josh P and David G) Teepub: https://www.teepublic.com/user/bdspodcast For Amanda next: https://www.cybercareersummit.com/ & keynote @grrcon oct 24/25 Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Mattias och Erik pratar SQL Injection, en attack som tog sin form runt 1998. Då, när webbsidor blev mer avancerade med databasstruktur istället för rena webbservrar, lyckades hackare avbryta frågor till databasen genom att skicka sin egna frågor och på så vis få ut information om systemet. Vad är SQL injection? Hur stoppar man den? Vilka olika typer finns det? Finns det någon känd attack som är baserad på SQL Injection? Hur ser framtiden ut? Ja, allt det där besvaras faktiskt i avsnittet om "SQLi".
Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don’t post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”) Will this be added later? What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all? Why shouldn’t everyone be at Level 3? I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
On this episode, Jim Manico joins again to talk about the ways that AppSec has changed over the years and give us an in-depth look at the history of SQL Injection and XSS. You can find Jim on Twitter @manicode The post The Extremely Unabridged History of SQLi and XSS(S04E19) appeared first on Security Journey Podcasts.
Where in the world is Ms. Amanda Berlin? Keynoting hackerconWV Election Security Cuyahoga County: Intro: Jeremy Mio (@cyborg00101 Name? Why are you here? Discussing Ohio does election operations. Walk through the process Pre-Elections Elections Night Post Elections All about the C.I.A. Votes must be confidential Votes must not be compromised (integrity) Voting should be available and without outage Did a tabletop exercise with all counties in Ohio (impressive!) Gamified, using role-reversal Points based system Different technology has different point values Physical security/chain of custody Retention EI-ISAC - election infra ISAC https://www.cisecurity.org/services/albert/ - Albert system https://www.cisecurity.org/best-practices-part-1/ - election security best practices How does the Ohio election process stack up against other states? Media Perception in Elections Hacking and threats 11 year olds ‘hacking election’ Yes, good for a new article title Goes to show how easy it is to actually hack systems Train someone on SQLI, pwn the things Elections Security Operations and Preparation Technology types Ballot Booths Mail-in ballots Securing election infra What can be done to make it more secure? Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Web applications are under siege as hackers work around the clock to identify weak spots and steal data. Last year’s Equifax data breach put a spotlight on web-application vulnerabilities, which can be used to target any organization with an internet presence. Cyber attackers have embraced the use of automation to scan applications for vulnerabilities. Protecting against application-layer techniques such as SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF) and distributed denial of service (DDoS) is imperative, but automated attacks can overwhelm existing security solutions. Listen to this episode to learn: How to maintain awareness of evolving web application issues and trends Tips for advancing patch management and vulnerability assessment processes Solutions that leverage DDoS defenses, bot mitigation, artificial intelligence (AI) and API endpoint protection to combat automated attacks Techniques for protecting apps in multi-cloud infrastructures Best practices for ensuring security checks and controls are applied automatically and transparently throughout the software development lifecycle.
Please join host Brent Hilburn as he talks with GA Gubernatorial candidate Ted Metz. Information about each candidate can be found at https://lpgeorgia.com/about/candidates/ If you enjoyed the show, please rate and review! You can connect with us through Facebook at https://www.facebook.com/LPGeorgia/, and Twitter at https://twitter.com/lpgeorgia. If you are a Libertarian in the state of Georgia, find out how you can get involved at https://lpgeorgia.com Got comments or questions? Let us know in the comments below, or email podcast@lpgeorgia.com This episode was produced by Most Uniquest. Find out more at https://mostuniquest.com The theme song from this episode was "Metaltania" by Kevin MacLeod, released to the public domain through https://freepd.com
Alain Marty, Directeur de la rédaction de HRD Radio.TV, et Sophie Sanchez, Directrice générale déléguée en charge des RH et de la Communication du groupe Synergie, reçoivent Sylvie Verstraeten, DRH au sein de SQLI, un groupe de services dédié au monde du digital.
Előző részek tartalmából: -Application Layer Attack: .SQLi - http://bit.ly/2EXnGCD .XSS - http://bit.ly/2EWXaoN .Shell CMD Injection - bit.ly/2oukEeH -Karcsi fejleszt -Skype vuln. bit.ly/2BTt0nG -Password based attacks BSides Budapest 2018! Keressetek minket!
Crypto.Québec
We cover TrueOS/Lumina working to be less dependent on Linux, How the IllumOS network stack works, Throttling the password gropers & the 64 bit inode call for testing. This episode was brought to you by Headlines vBSDCon CFP closed April 29th (https://easychair.org/conferences/?conf=vbsdcon2017) EuroBSDCon CFP closes April 30th (https://2017.eurobsdcon.org/2017/03/13/call-for-proposals/) Developer Commentary: Philosophy, Evolution of TrueOS/Lumina, and Other Thoughts. (https://www.trueos.org/blog/developer-commentary-philosophy-evolution-trueoslumina-thoughts/) Philosophy of Development No project is an island. Every single project needs or uses some other external utility, library, communications format, standards compliance, and more in order to be useful. A static project is typically a dead project. A project needs regular upkeep and maintenance to ensure it continues to build and run with the current ecosystem of libraries and utilities, even if the project has no considerable changes to the code base or feature set. “Upstream” decisions can have drastic consequences on your project. Through no fault of yours, your project can be rendered obsolete or broken by changing standards in the global ecosystem that affect your project's dependencies. Operating system focus is key. What OS is the project originally designed for? This determines how the “upstream” dependencies list appears and which “heartbeat” to monitor. Evolution of PC-BSD, Lumina, and TrueOS. With these principles in mind – let's look at PC-BSD, Lumina, and TrueOS. PC-BSD : PC-BSD was largely designed around KDE on FreeBSD. KDE/Plasma5 has been available for Linux OS's for well over a year, but is still not generally available on FreeBSD. It is still tucked away in the experimental “area51” repository where people are trying to get it working first. Lumina : As a developer with PC-BSD for a long time, and a tester from nearly the beginning of the project, I was keenly aware the “winds of change” were blowing in the open-source ecosystem. TrueOS : All of these ecosystem changes finally came to a head for us near the beginning of 2016. KDE4 was starting to deteriorate underneath us, and the FreeBSD “Release” branch would never allow us to compete with the rate of graphics driver or standards changes coming out of the Linux camp. The Rename and Next Steps With all of these changes and the lack of a clear “upgrade” path from PC-BSD to the new systems, we decided it was necessary to change the project itself (name and all). To us, this was the only way to ensure people were aware of the differences, and that TrueOS really is a different kind of project from PC-BSD. Note this was not a “hostile takeover” of the PC-BSD project by rabid FreeBSD fanatics. This was more a refocusing of the PC-BSD project into something that could ensure longevity and reliability for the foreseeable future. Does TrueOS have bugs and issues? Of course! That is the nature of “rolling” with upstream changes all the time. Not only do you always get the latest version of something (a good thing), you also find yourself on the “front line” for finding and reporting bugs in those same applications (a bad thing if you like consistency or stability). What you are also seeing is just how much “churn” happens in the open-source ecosystem at any given time. We are devoted to providing our users (and ourselves – don't forget we use TrueOS every day too!) a stable, reliable, and secure experience. Please be patient as we continue striving toward this goal in the best way possible, not just doing what works for the moment, but the project's future too. Robert Mustacchi: Excerpts from The Soft Ring Cycle #1 (https://www.youtube.com/watch?v=vnD10WQ2930) The author of the “Turtles on the Wire” post we featured the other week, is back with a video. Joyent has started a new series of lunchtime technical discussions to share information as they grow their engineering team This video focuses on the network stack, how it works, and how it relates to virtualization and multi-tenancy Basically, how the network stack on IllumOS works when you have virtual tenants, be they virtual machines or zones The video describes the many layers of the network stack, how they work together, and how they can be made to work quickly It also talks about the trade-offs between high throughput and low latency How security is enforced, so virtual tenants cannot send packets into VLANs they are not members of, or receive traffic that they are not allowed to by the administrator How incoming packets are classified, and eventually delivered to the intended destination How the system decides if it has enough available resources to process the packet, or if it needs to be dropped How interface polling works on IllumOS (a lot different than on FreeBSD) Then the last 20 minutes are about how the qemu interface of the KVM hypervisor interfaces with the network stack We look forward to seeing more of these videos as they come out *** Forcing the password gropers through a smaller hole with OpenBSD's PF queues (http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html) While preparing material for the upcoming BSDCan PF and networking tutorial (http://www.bsdcan.org/2017/schedule/events/805.en.html), I realized that the pop3 gropers were actually not much fun to watch anymore. So I used the traffic shaping features of my OpenBSD firewall to let the miscreants inflict some pain on themselves. Watching logs became fun again. The actual useful parts of this article follow - take this as a walkthrough of how to mitigate a wide range of threats and annoyances. First, analyze the behavior that you want to defend against. In our case that's fairly obvious: We have a service that's getting a volume of unwanted traffic, and looking at our logs the attempts come fairly quickly with a number of repeated attempts from each source address. I've written about the rapid-fire ssh bruteforce attacks and their mitigation before (and of course it's in The Book of PF) as well as the slower kind where those techniques actually come up short. The traditional approach to ssh bruteforcers has been to simply block their traffic, and the state-tracking features of PF let you set up overload criteria that add the source addresses to the table that holds the addresses you want to block. For the system that runs our pop3 service, we also have a PF ruleset in place with queues for traffic shaping. For some odd reason that ruleset is fairly close to the HFSC traffic shaper example in The Book of PF, and it contains a queue that I set up mainly as an experiment to annoy spammers (as in, the ones that are already for one reason or the other blacklisted by our spamd). The queue is defined like this: queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 yes, that's right. A queue with a maximum throughput of 1 kilobit per second. I have been warned that this is small enough that the code may be unable to strictly enforce that limit due to the timer resolution in the HFSC code. But that didn't keep me from trying. Now a few small additions to the ruleset are needed for the good to put the evil to the task. We start with a table to hold the addresses we want to mess with. Actually, I'll add two, for reasons that will become clear later: table persist counters table persist counters The rules that use those tables are: block drop log (all) quick from pass in quick log (all) on egress proto tcp from to port pop3 flags S/SA keep state (max-src-conn 2, max-src-conn-rate 3/3, overload flush global, pflow) set queue spamd pass in log (all) on egress proto tcp to port pop3 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 6/3, overload flush global, pflow) The last one lets anybody connect to the pop3 service, but any one source address can have only open five simultaneous connections and at a rate of six over three seconds. The results were immediately visible. Monitoring the queues using pfctl -vvsq shows the tiny queue works as expected: queue spamd parent rootq bandwidth 1K, max 1K qlimit 300 [ pkts: 196136 bytes: 12157940 dropped pkts: 398350 bytes: 24692564 ] [ qlength: 300/300 ] [ measured: 2.0 packets/s, 999.13 b/s ] and looking at the pop3 daemon's log entries, a typical encounter looks like this: Apr 19 22:39:33 skapet spop3d[44875]: connect from 111.181.52.216 Apr 19 22:39:33 skapet spop3d[75112]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[57116]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[65982]: connect from 111.181.52.216 Apr 19 22:39:34 skapet spop3d[58964]: connect from 111.181.52.216 Apr 19 22:40:34 skapet spop3d[12410]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[63573]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[76113]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[23524]: autologout time elapsed - 111.181.52.216 Apr 19 22:40:34 skapet spop3d[16916]: autologout time elapsed - 111.181.52.216 here the miscreant comes in way too fast and only manages to get five connections going before they're shunted to the tiny queue to fight it out with known spammers for a share of bandwidth. One important takeaway from this, and possibly the most important point of this article, is that it does not take a lot of imagination to retool this setup to watch for and protect against undesirable activity directed at essentially any network service. You pick the service and the ports it uses, then figure out what are the parameters that determine what is acceptable behavior. Once you have those parameters defined, you can choose to assign to a minimal queue like in this example, block outright, redirect to something unpleasant or even pass with a low probability. 64-bit inodes (ino64) Status Update and Call for Testing (https://lists.freebsd.org/pipermail/freebsd-fs/2017-April/024684.html) Inodes are data structures corresponding to objects in a file system, such as files and directories. FreeBSD has historically used 32-bit values to identify inodes, which limits file systems to somewhat under 2^32 objects. Many modern file systems internally use 64-bit identifiers and FreeBSD needs to follow suit to properly and fully support these file systems. The 64-bit inode project, also known as ino64, started life many years ago as a project by Gleb Kurtsou (gleb@). After that time several people have had a hand in updating it and addressing regressions, after mckusick@ picked up and updated the patch, and acted as a flag-waver. Overview : The ino64 branch extends the basic system types inot and devt from 32-bit to 64-bit, and nlink_t from 16-bit to 64-bit. Motivation : The main risk of the ino64 change is the uncontrolled ABI breakage. Quirks : We handled kinfo sysctl MIBs, but other MIBs which report structures depended on the changed type, are not handled in general. It was considered that the breakage is either in the management interfaces, where we usually allow ABI slip, or is not important. Testing procedure : The ino64 project can be tested by cloning the project branch from GitHub or by applying the patch to a working tree. New kernel, old world. New kernel, new world, old third-party applications. 32bit compat. Targeted tests. NFS server and client test Other filesystems Test accounting Ports Status with ino64 : A ports exp-run for ino64 is open in PR 218320. 5.1. LLVM : LLVM includes a component called Address Sanitizer or ASAN, which triesto intercept syscalls, and contains knowledge of the layout of many system structures. Since stat and lstat syscalls were removed and several types and structures changed, this has to be reflected in the ASAN hacks. 5.2. lang/ghc : The ghc compiler and parts of the runtime are written in Haskell, which means that to compile ghc, you need a working Haskell compiler for bootstrap. 5.3. lang/rust Rustc has a similar structure to GHC, and same issue. The same solution of patching the bootstrap was done. Next Steps : The tentative schedule for the ino64 project: 2017-04-20 Post wide call for testing : Investigate and address port failures with maintainer support 2017-05-05 Request second exp-run with initial patches applied : Investigate and address port failures with maintainer support 2017-05-19 Commit to HEAD : Address post-commit failures where feasible *** News Roundup Sing, beastie, sing! (http://meka.rs/blog/2017/01/25/sing-beastie-sing/) FreeBSD digital audio workstation, or DAW for short, is now possible. At this very moment it's not user friendly that much, but you'll manage. What I want to say is that I worked on porting some of the audio apps to FreeBSD, met some other people interested in porting audio stuff and became heavily involved with DrumGizmo - drum sampling engine. Let me start with the basic setup. FreeBSD doesn't have hard real-time support, but it's pretty close. For the needs of audio, FreeBSD's implementation of real-time is sufficient and, in my opinion, superior to the one you can get on Linux with RT path (which is ugly, not supported by distributions and breaks apps like VirtualBox). As default install of FreeBSD is concerned with real-time too much, we have to tweak sysctl a bit, so append this to your /etc/sysctl.conf: kern.timecounter.alloweddeviation=0 hw.usb.uaudio.buffer_ms=2 # only on -STABLE for now hw.snd.latency=0 kern.coredump=0 So let me go through the list. First item tells FreeBSD how many events it can aggregate (or wait for) before emitting them. The reason this is the default is because aggregating events saves power a bit, and currently more laptops are running FreeBSD than DAWs. Second one is the lowest possible buffer for USB audio driver. If you're not using USB audio, this won't change a thing. Third one has nothing to do with real-time, but dealing with programs that consume ~3GB of RAM, dumping cores around made a problem on my machine. Besides, core dumps are only useful if you know how to debug the problem, or someone is willing to do that for you. I like to not generate those files by default, but if some app is constantly crashing, I enable dumps, run the app, crash it, and disable dumps again. I lost 30GB in under a minute by examining 10 different drumkits of DrumGizmo and all of them gave me 3GB of core file, each. More setup instructions follow, including jackd setup and PulseAudio using virtual_oss. With this setup I can play OSS, JACK and PulseAudio sound all at the same time, which I was not able to do on Linux. FreeBSD 11 Unbound DNS server (https://itso.dk/?p=499) In FreeBSD, there is a built-in DNS server called Unbound. So why would run a local DNS server? I am in a region where internet traffic is still a bit expensive, that also implies slow, and high response times. To speed that a up a little, you can use own DNS server. It will speed up because for every homepage you visit, there will be several hooks to other domains: commercials, site components, and links to other sites. These, will now all be cached locally on your new DNS server. In my case I use an old PC-Engine Alix board for my home DNS server, but you can use almost everything, Raspberry Pi, old laptop/desktop and others. As long as it runs FreeBSD. Goes into more details about what commands to run and which services to start Try it out if you are in a similar situation *** Why it is important that documentation and tutorials be correct and carefully reviewed (https://arxiv.org/pdf/1704.02786.pdf) A group of researchers found that a lot of online web programming tutorials contain serious security flaws. They decided to do a research project to see how this impacts software that is written possibly based on those tutorials. They used a number of simple google search terms to make a list of tutorials, and manually audited them for common vulnerabilities. They then crawled GitHub to find projects with very similar code snippets that might have been taken from those tutorials. The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi). Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerability discovery at scale. To validate our hypothesis, we propose a semi-automated approach to find recurring vulnerabilities starting from a handful of top-ranked tutorials that contain vulnerable code snippets. We evaluate our approach by performing an analysis of tens of thousands of open-source web applications to check if vulnerabilities originating in the selected tutorials recur. Our analysis framework has been running on a standard PC, analyzed 64,415 PHP codebases hosted on GitHub thus far, and found a total of 117 vulnerabilities that have a strong syntactic similarity to vulnerable code snippets present in popular tutorials. In addition to shedding light on the anecdotal belief that programmers reuse web tutorial code in an ad hoc manner, our study finds disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. Moreover, our findings testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point The researchers found 117 vulnerabilities, of these, at least 8 appear to be nearly exact copy/pastes of the tutorials that were found to be vulnerable. *** 1.3.0 Development Preview: New icon themes (https://lumina-desktop.org/1-3-0-development-preview-new-icon-themes/) As version 1.3.0 of the Lumina desktop starts getting closer to release, I want to take a couple weeks and give you all some sneak peaks at some of the changes/updates that we have been working on (and are in the process of finishing up). New icon theme (https://lumina-desktop.org/1-3-0-development-preview-new-icon-themes/) Material Design Light/Dark There are a lot more icons available in the reference icon packs which we still have not gotten around to renaming yet, but this initial version satisfies all the XDG standards for an icon theme + all the extra icons needed for Lumina and it's utilities + a large number of additional icons for application use. This highlights one the big things that I love about Lumina: it gives you an interface that is custom-tailored to YOUR needs/wants – rather than expecting YOU to change your routines to accomodate how some random developer/designer across the world thinks everybody should use a computer. Lumina Media Player (https://lumina-desktop.org/1-3-0-development-preview-lumina-mediaplayer/) This is a small utility designed to provide the ability for the user to play audio and video files on the local system, as well as stream audio from online sources. For now, only the Pandora internet radio service is supported via the “pianobar” CLI utility, which is an optional runtime dependency. However, we hope to gradually add new streaming sources over time. For a long time I had been using another Pandora streaming client on my TrueOS desktop, but it was very fragile with respect to underlying changes: LibreSSL versions for example. The player would regularly stop functioning for a few update cycles until a version of LibreSSL which was “compatible” with the player was used. After enduring this for some time, I was finally frustrated enough to start looking for alternatives. A co-worker pointed me to a command-line utility called “pianobar“, which was also a small client for Pandora radio. After using pianobar for a couple weeks, I was impressed with how stable it was and how little “overhead” it required with regards to extra runtime dependencies. Of course, I started thinking “I could write a Qt5 GUI for that!”. Once I had a few free hours, I started writing what became lumina-mediaplayer. I started with the interface to pianobar itself to see how complicated it would be to interact with, but after a couple days of tinkering in my spare time, I realized I had a full client to Pandora radio basically finished. Beastie Bits vBSDCon CFP closes April 29th (https://easychair.org/conferences/?conf=vbsdcon2017) EuroBSDCon CFP closes April 30th (https://2017.eurobsdcon.org/2017/03/13/call-for-proposals/) clang(1) added to base on amd64 and i386 (http://undeadly.org/cgi?action=article&sid=20170421001933) Theo: “Most things come to an end, sorry.” (https://marc.info/?l=openbsd-misc&m=149232307018311&w=2) ASLR, PIE, NX, and other capital letters (https://www.dragonflydigest.com/2017/04/24/19609.html) How SSH got port number 22 (https://www.ssh.com/ssh/port) Netflix Serving 90Gb/s+ From Single Machines Using Tuned FreeBSD (https://news.ycombinator.com/item?id=14128637) Compressed zfs send / receive lands in FreeBSD HEAD (https://svnweb.freebsd.org/base?view=revision&revision=317414) *** Feedback/Questions Steve - FreeBSD Jobs (http://dpaste.com/3QSMYEH#wrap) Mike - CuBox i4Pro (http://dpaste.com/0NNYH22#wrap) Steve - Year of the BSD Desktop? (http://dpaste.com/1QRZBPD#wrap) Brad - Configuration Management (http://dpaste.com/2TFV8AJ#wrap) ***
When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand. It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team. Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders. Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3 Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2 Bill's #DerbyCon Talk "#Developers: Care and Feeding": http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me11-developers-care-and-feeding-bill-sempf Bill's Blog: https://sempf.net/ Bill's Twitter: http://www.twitter.com/sempf Check us out using the #TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #RSS: http://www.brakeingsecurity.com/rss
![DEF CON 23 [Audio] Speeches from the Hacker Convention](https://ivyfm.s3.amazonaws.com/i320/160193.jpg)
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Jason-Haddix-How-Do-I-shot-Web.pdf How to Shot Web: Web and mobile hacking in 2015 Jason Haddix Director of Technical Operations, Bugcrowd 2014 was a year of unprecedented participation in crowdsourced and static bug bounty programs, and 2015 looks like a trendmaker. Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools, and tips make you better at hacking websites and mobile apps to claim those bounties. Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in. Jasonis the Director of Technical Operations at Bugcrowd. Jason trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include, mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis.
Last week, we discussed with Shreeraj Shah about HTML5, how it came into being and the fact that instead of solving OWASP issues, it introduces new and wonderful vulnerabilities, like exploiting locally stored web site info using XSS techniques, and doing SQLI on the new browser WebSQL. So this week, it's all about defensive techniques that you can use to educate your developers against making mistakes that could get your company's web application on the front page of the news paper.
![DEF CON 22 [Materials] Speeches from the Hacker Convention.](https://ivyfm.s3.amazonaws.com/i320/597383.jpg)
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Davisson-Alejandro/DEFCON-22-Eric-Davisson-Ruben-Alejandro-Abuse-of-Blind-Automation-in-Security-Tools.pdf Abuse of Blind Automation in Security Tools Eric (XlogicX) Davisson SECURITY RESEARCHER Ruben Alejandro (chap0) SECURITY RESEARCHER It is impossibly overwhelming for security personnel to manually analyze all of the data that comes to them in a meaningful way. Intelligent scripting and automation is key. This talk aims to be a humorous reminder of why the word “intelligent” really matters; your security devices might start doing some stupid things when we feed them. This talk is about abusing signature detection systems and confusing or saturating the tool or analyst. Some technologies you can expect to see trolled are anti-virus, intrusion detection, forensic file carving, PirateEye (yep), grocery store loyalty cards (huh?), and anything we can think of abusing. Expect to see some new open-source scripts that you can all use. The presenters don't often live in the high-level, so you may see the terminal, some hex and bitwise maths, raw signatures, and demonstrations of these wacky concepts in action. We don't intend to present dry slides on “hacker magic” just to look 1337. We want to show you cool stuff that we are passionate about, stuff we encourage everyone to try themselves, and maybe inspire new ideas (even if they're just pranks...especially). Eric has obtained degrees in computer engineering, business, and criminal justice. He has SANS certifications for GCIH, GCIA and is currently studying for GREM. This isn't so important to Eric, however, this is the type of thing we like seeing in bios. His interest is in the obscure. While having a basic grip on the general XSS, SQLi, Buffer Overflow (OWASP top whatever), he finds obscurity much more interesting; it's true adventure to him. He enjoys all things low level (and would argue all hackers should), this means he has an “amateur” background in embedded/assembly and does some ignorant EE stuff. He also tries to replace every script with a well crafted regular expression. Eric currently resides in Phoenix Arizona. He is active in his local 2600 community. Finally, he has fond memories of DEFCON at Alexis Park. Twitter: @XlogicX Ruben Alejandro has professional experience in security along with some of the certifications that come with it. His interests a geared to the offensive side of security; he's made some contributions to metasploit and exploitdb. He is really into the community and doesn't want to bore anyone with anymore InfoSec in this bio, he just looks forward to chatting with everyone at the con and having a good time. Twitter: @_chap0
As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these. So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard. Next week is the big ones, the Top 5... all your favorites, in one place! OWASP Top 10 (2013) PDF: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6 Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/
Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about! We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being. It's well worth the time, in my opinion, as we cover the following topics: Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment) Jim & David talk about how to do sane SQL Injection protection (bind everything!) David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important Jim brings up structural validation of inputs (useful white-listing) David brings up that his exploits from 2007 are STILL working in 2012 - terrifying "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection David talks about unconventional database forensics that identify attacks via weblogs Vendors have upped their game to protect applications, developers are still writing bad code Jim Manico "We are entering the golden age of hackers" ... does this mean better security?! David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers Jim asks "does the [development] framework of the future, consider security as a built-in?" Guests Jim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word. You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization. David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.
This week we're joined by Ryan Ward to discuss the news. Tom Mackenzie talks to us about a recently discovered SQLi in Ebay. and Jac0byterebel discussed the SPToolkit
Intro: Тартак - Я не хочу Обсуждение закона об Интернет-фильтрации ( http://goo.gl/6YaFd ) EFF о безопасности SSL ( http://goo.gl/DIiT5 ) THC-SSL-DOS tool: шоб усі боялись ( http://goo.gl/5rbTf ) Атака недели: шифрование XML ( http://goo.gl/gTT8m ) Оценка безопасности двухфакторной аутентификации на примере Google ( http://goo.gl/xkEvA ) Обнаружение и противодействие атакам на SSL (PDF) ( http://goo.gl/3keP ) ЗЦК, патч менеджмент и пентесты на низкой орбите ( http://goo.gl/bjYLC , http://goo.gl/AEsNH ) Боян о NASA и "Свиньях в космосе" ( http://goo.gl/BCYsE ) Итоги атаки на RSA SecurID (для RSA) ( http://goo.gl/bYbe1 ) и маркетинг в ИБ ( Kaspersky & Me: "Packin' The K!" -http://goo.gl/J255l ) Итоги атаки на RSA SecurID (вообще): список предполагаемых жертв от Браяна Кребса ( http://goo.gl/niODa ) Darth DuQu ( http://goo.gl/a6wyA ) Ссылки в Интеренете, свобода слова и вообще о Канаде ( http://goo.gl/lKlrl ) Top-10 тупейших хаков в мире ( http://goo.gl/zfoiB ) SQLi на номерном знаке ( http://goo.gl/F9WZ ) Самый новый загадочный DoS в Apache HTTPD ( http://goo.gl/3Z03L ) IPv6 фишинг ВКонтакте ( http://goo.gl/u6xsb ) : верните бабушке ее деньги! ( http://goo.gl/UiOGH ) Подготовка к конференции UISGv7: новый сайт, ход регистрации, темы докладов, FAQ ( http://7.uisgcon.org ) Мобильная и пользовательская безопасность. Специальный гость -- Владимир Безмалый (Мобильные угрозы - видео -http://goo.gl/6F4t9 , Критика поддержки Android - http://goo.gl/VuAd8 ) Вопросы гостю: карьерный путь, MVP Consumer Security Lazee feat. Neverstore - Hold On (Matrix & Futurebound's Terrace Tantrum Remix)
© 2020-2025 Ivy Podcast Discovery LLC
