Podcasts about Transport Layer Security

Transport Layer Security (TLS) relies on certificates to authenticate Web sites and enable encryption. On today’s Packet Protector we look at mechanisms that domain owners can take to ensure the validity of their digital certificates. More specifically, we cover Certification Authority Authorization (CAA) and Certificate Transparency (CT). Our guest is Ed Harmoush. Ed is a... Read more »

Transport Layer Security (TLS) relies on certificates to authenticate Web sites and enable encryption. On today’s Packet Protector we look at mechanisms that domain owners can take to ensure the validity of their digital certificates. More specifically, we cover Certification Authority Authorization (CAA) and Certificate Transparency (CT). Our guest is Ed Harmoush. Ed is a... Read more »

Transport Layer Security (TLS) is today’s topic with guest Ed Harmoush. TLS plays a critical role in Internet security, and we dive into the differences between versions 1.2 and 1.3 In addition, Ed shares his journey into TLS, explains its components, and addresses common misconceptions about certificates and their validation processes. The episode also highlights... Read more »

Transport Layer Security (TLS) is today’s topic with guest Ed Harmoush. TLS plays a critical role in Internet security, and we dive into the differences between versions 1.2 and 1.3 In addition, Ed shares his journey into TLS, explains its components, and addresses common misconceptions about certificates and their validation processes. The episode also highlights... Read more »

Transport Layer Security (TLS) is today’s topic with guest Ed Harmoush. TLS plays a critical role in Internet security, and we dive into the differences between versions 1.2 and 1.3 In addition, Ed shares his journey into TLS, explains its components, and addresses common misconceptions about certificates and their validation processes. The episode also highlights... Read more »

In his regular monthly spot on PING, APNIC's Chief Scientist Geoff Huston continues his examination of DNSSEC. In the first part of this two-part story, Geoff explored the problem space, with a review of the comparative failure of DNSSEC to be deployed by zone holders, and the lack of validation by the resolvers. This is visible to APNIC labs from carefully crafted DNS zones with validly and invalidly signed DNSSEC states, which are included in the Labs advertising method of user measurement. This second episode offers some hope for the future. It reviews the changes which could be made to the DNS protocol, or use of existing aspects of DNS, to make DNSSEC safer to deploy. There is considerable benefit to having trust in names, especially as a "service" to Transport Layer Security (TLS) which is now ubiquitous worldwide in the web.

The Oh No! news. Oh No! News is Good News. TAGS: Oh No News, Threat analysis, QNAP Threat analysis; your attack surface. Source: QNAP warns of critical auth bypass flaw in its NAS devices. The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection. CVE-2024-21899: If exploited, the improper authentication vulnerability could allow users to compromise the security of the system via a network. CVE-2024-21900: If exploited, the injection vulnerability could allow authenticated users to execute commands via a network. CVE-2024-21901: If exploited, the SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network. The flaws impact various versions of QNAP's operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service. Source: Switzerland: Play ransomware leaked 65,000 government documents. In a new statement published today, the Swiss government confirmed that 65,000 government documents were leaked in the breach. Supporting Source: Hacker attack on Xplain: National Cyber Security Centre publishes data analysis report. Relevance of the published data volume. The data package published on the darknet comprised around 1.3 million files. Once the data had been downloaded, the NCSC took the lead in systematically categorising and triaging all documents relevant to the Federal Administration. The results showed that the volume of data relevant to the Federal Administration comprised around 65,000 documents, or approximately 5% of the total published data set. The majority of these files belonged to Xplain (47,413) with a share of over 70%; around 14% (9,040) belonged to the Federal Administration. Around 95% of the Federal Administration’s files belonged to the administrative units of the Federal Department of Justice and Police (FDJP): the Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and the internal IT service centre ISC-FDJP. With just over 3% of the data, the Federal Department of Defence, Civil Protection and Sport (DDPS) is slightly affected and the other departments are only marginally affected in terms of volume. Proportion of sensitive data. Sensitive content such as personal data, technical information, classified information and passwords was found in around half of the Federal Administration's files (5,182). Personal data such as names, email addresses, telephone numbers and postal addresses were found in 4,779 of these files. In addition, 278 files contained technical information such as documentation on IT systems, software requirement documents or architectural descriptions, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable passwords. Supporting Source: Information about the hacker attack on Xplain. Xplain filed a criminal complaint after the incident, provided the authorities with all the necessary information and cooperated with them in investigating and limiting the damage. We rebuilt the entire IT infrastructure in accordance with the recommendations of the National Cyber Security Center (NCSC) and replaced the external operators. An external audit of the infrastructure and processes was completed in November. The NCSC subsequently wrote an assessment of the audit. The Federal Council's strategy crisis team on data leaks (PSC-D) took note of the report. Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs. A threat actor is creating fake Skype, Google Meet, and Zoom meetings, mimicking these popular collaboration applications to spread various commodity malware that can steal sensitive data from both Android and Windows users. Additional Information. What is a "Data Breach"? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. What is "Malware"? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. What is a "Payload"? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection. What is "Phishing"? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Social engineering (security) In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. What is "Information Security" (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell administrators, users and operators how to use products to ensure information security within the organizations. What is "Risk management"? Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. What is a "Vulnerability" (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. What is "Standardization"? Standardization is the process of implementing and developing technical standards based on the consensus of different parties that include firms, users, interest groups, standards organizations and governments. Standardization can help maximize compatibility, interoperability, safety, repeatability, or quality. It can also facilitate a normalization of formerly custom processes. List of computer standards. List of technical standard organizations. What is a "Replay attack"? A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run." What is a "Man-in-the-middle attack"? In cryptography and computer security, a man-in-the-middle, ..., attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. What is "Transport Layer Security" (TLS)? Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. What is a "Handshake" (computing)?. In computing, a handshake is a signal between two devices or programs, used to, e.g., authenticate, coordinate. An example is the handshaking between a hypervisor and an application in a guest virtual machine. What is Security theater? The practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it. License: Creative Commons Attribution-ShareAlike 4.0 International This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Google and Yahoo are rolling out stricter guidelines for email sending starting February 2024 — and recruiters are (rightfully!) anxious about how this may impact their outreach.In this episode, we break down these new anti-spam rules with Loxo's CTO, Ilia Cheishvili. The new guidelines include authenticating outgoing emails, avoiding unsolicited emails, and simplifying unsubscribing — but it's complex.We dissect SPF, DKIM, DMARC, and DNS requirements, aiming to understand their impact — and along the way, we of course share actionable tips to help you avoid trouble and stay out of email purgatory.Chapters:00:00 - Podcast Intro01:22 - Email Protocol Changes: Google and Yahoo's Fight Against Spam03:33 - The Impact of Email Guidelines on Recruiters' Outreach Practices04:58 - Email Security: The Role of SPF and DKIM09:14 - Demystifying DMARC for Secure Email Transmission10:56 - Exploring PTR and DNS: Email Sender Verification14:26 - Delving into Transport Layer Security (TLS) for Safer Emails15:58 - Simplifying Unsubscribe Options for Email Recipients17:54 - Consequences of Ignoring Email Guidelines for Recruiters21:28 - Balancing Outreach for Optimal Business Development and Candidate Outreach26:02 - Parting Insights and Farewell for This EpisodeExplore all our episodes and catch the full video experience at loxo.co/podcastBecoming a Hiring Machine is brought to you by Loxo. To discover more about us, just visit loxo.co

The Oh No! news. Oh No! News is Good News. TAGS: Oh No, News, Threat analysis, InfoSec, Google Dynamic Search Ads Threat analysis; your attack surface. Source: Former NHS secretary found guilty of illegally accessing medical records A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people. Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records. Supporting Source: Open Street Map link to Redditch Worcestershire. Source: NetSupport RAT Infections on the Rise. Targeting Government and Business Sectors While NetSupport Manager started off as a legitimate remote administration tool for technical assistance and support, malicious actors have misappropriated the tool to their own advantage, using it as a beachhead for subsequent attacks. Source: Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware The threat actors are believed to leverage Google's Dynamic Search Ads (DSAs), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. Source: Trojanized PyCharm Software Version Delivered via Google Search Ads. Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead. InfoSec; the language of security. Source: Why Defenders Should Embrace a Hacker Mindset Additional Information. What is a "Data Breach"? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. What is "Malware"? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. What is a "Payload"? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection. What is "Phishing"? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Social engineering (security) In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. What is "Information Security" (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell administrators, users and operators how to use products to ensure information security within the organizations. What is "Risk management"? Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. What is a "Vulnerability" (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. What is "Standardization"? Standardization is the process of implementing and developing technical standards based on the consensus of different parties that include firms, users, interest groups, standards organizations and governments. Standardization can help maximize compatibility, interoperability, safety, repeatability, or quality. It can also facilitate a normalization of formerly custom processes. List of computer standards. List of technical standard organizations. What is a "Replay attack"? A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run." What is a "Man-in-the-middle attack"? In cryptography and computer security, a man-in-the-middle, ..., attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. What is "Transport Layer Security" (TLS)? Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. What is a "Handshake" (computing)?. In computing, a handshake is a signal between two devices or programs, used to, e.g., authenticate, coordinate. An example is the handshaking between a hypervisor and an application in a guest virtual machine. What is Security theater? The practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it. License: Creative Commons Attribution-ShareAlike 4.0 International This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

An introduction to cryptography, internet security, and cryptocurrency, beginning with an overview of RSA cryptography and covering the use of public and private keys and their incorporation into the Transport Layer Security protocol used for secure internet communications. We then examine the key features of cryptocurrencies, including the blockchain, proof of work consensus mechanism, the use of hash functions, and the role of crypto mining. We conclude with a discussion of some of the advantages and disadvantages of cryptocurrencies, including their anonymity, volatility, use in crime, and environmental impacts. If you enjoyed the podcast please consider supporting the show by making a PayPal donation or becoming a Patreon supporter. https://www.patreon.com/jamesfodor https://www.paypal.me/ScienceofEverything

The Oh No! news. Oh No! News is Good News. TAGS: User space, investment scams, recovery scams User space. Source: Avoiding and Reporting Scams. Supporting Source: Refund and Recovery Scams. Supporting Source: Investment opportunity scams. Source: Reddit Community: r/Scams Additional Information. What is a "Data Breach"? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. What is "Malware"? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. What is a "Payload"? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection. What is "Phishing"? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Social engineering (security) In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. What is "Information Security" (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell administrators, users and operators how to use products to ensure information security within the organizations. What is "Risk management"? Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. What is a "Vulnerability" (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. What is "Standardization"? Standardization is the process of implementing and developing technical standards based on the consensus of different parties that include firms, users, interest groups, standards organizations and governments. Standardization can help maximize compatibility, interoperability, safety, repeatability, or quality. It can also facilitate a normalization of formerly custom processes. List of computer standards. List of technical standard organizations. What is a "Replay attack"? A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run." What is a "Man-in-the-middle attack"? In cryptography and computer security, a man-in-the-middle, ..., attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. What is "Transport Layer Security" (TLS)? Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. What is a "Handshake" (computing)?. In computing, a handshake is a signal between two devices or programs, used to, e.g., authenticate, coordinate. An example is the handshaking between a hypervisor and an application in a guest virtual machine. What is Security theater? The practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it. License: Creative Commons Attribution-ShareAlike 4.0 International This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Ever wondered how to ace the CISSP Cyber exam's domain four? Or, perhaps, you're merely intrigued by the intricate world of Voiceover IP (VOIP)? Either way, this episode is packed with the insights you've been seeking! Join me, Sean Gerber, as we dissect the key protocols that VOIP uses for multimedia transmissions. Together, we'll unravel the complex intricacies of Session Initiation Protocol (SIP) messages and how sessions kick off in a VOIP implementation. You'll also gain an understanding of the differences between Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) and how they're applied.As we journey deeper into this episode, we'll explore the fascinating world of Internet Small Computer Systems Interface (iSCSI), focusing on its functions and default ports. Fear not, the mystery of SCSI command encapsulation will no longer be a mystery to you! We'll then shift our attention to the security aspects of SIP-based VOIP traffic, scrutinizing SIP-aware firewalls and the implementation of Transport Layer Security (TLS). Finally, we'll round off our discussion by examining RTCP's role in providing quality of service feedback in a VOIP implementation and wrapping up with an understanding of block-level transport in iSCSI. Prepare to expand your cybersecurity knowledge in a way you never thought possible!Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

The Oh No! news. Oh No! News is Good News. TAGS: Oh No News, InfoSec, browser security, session tokens, session id InfoSec; the language of security. Source: Session ID. Source: JSON Web Token. Terms of Use: Copyleft, free content Source: Session vs Token Based Authentication. Terms of Use: CC-BY-SA (with CC-BY-NC-SA elements). Source: Steal Application Access Token. Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS). Terms of Use: Similar to CC-BY-SA Source: Analysis: CircleCI attackers stole session cookie to bypass MFA. Terms of Use: Section 8. CONTENT AND CONTENT LICENSES. NOT certain Source: How to Prevent Session Hijacking? Terms of Use: Copyright, restrictive Additional Information. What is a "Data Breach"? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. What is "Malware"? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. What is a "Payload"? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection. What is "Phishing"? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Social engineering (security) In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. What is "Information Security" (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell administrators, users and operators how to use products to ensure information security within the organizations. What is "Risk management"? Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. What is a "Vulnerability" (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. What is "Standardization"? Standardization is the process of implementing and developing technical standards based on the consensus of different parties that include firms, users, interest groups, standards organizations and governments. Standardization can help maximize compatibility, interoperability, safety, repeatability, or quality. It can also facilitate a normalization of formerly custom processes. List of computer standards. List of technical standard organizations. What is a "Replay attack"? A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run." What is a "Man-in-the-middle attack"? In cryptography and computer security, a man-in-the-middle, ..., attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. What is "Transport Layer Security" (TLS)? Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. What is a "Handshake" (computing)?. In computing, a handshake is a signal between two devices or programs, used to, e.g., authenticate, coordinate. An example is the handshaking between a hypervisor and an application in a guest virtual machine. What is Security theater? The practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it. License: Creative Commons Attribution-ShareAlike 4.0 International This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

In this podcast, Jen Racine, Director of Sales Consulting at Entrust, and Andrew Sheedy, Enterprise Sales Director at Entrust, discuss the importance of managing SSL/TLS certificates and how agencies can maintain TLS encryption with Entrust Certificate Services (ECS). Listen to the podcast to discover how Entrust ECS can support your organization with SSL/TLS management to secure online communication, meet compliance requirements, advance Zero Trust initiatives and much more.

The Oh No! news. Oh No! News is Good News. TAGS: User space, Cybercrime, fraud, scams User space. Cybercrime, also known as scams or fraud, is constantly evolving due to the many data breaches occurring around the world. Attackers gather more of our personal data from these data breaches, then use that data to develop or modify their attacks. Users must remain on guard against social engineered attacks aimed at defrauding users of personal information and/or property (usually money/currency). I’m suggesting users update themselves as they would update their computers. Knowing the types of attacks and how the attack is deployed will benefit you in the fight against Cybercrime. Reporting Cybercrime is beneficial for all users. When a user reports Cybercrime, that information can help investigators combat this growing threat; and broadcast warnings to the greater population. I’ve provided a few links below to assist you in learning and reporting Cybercrime. Common delivery methods for social engineered attacks are: Email (attackers imitate legitimate organizations in design only). Mobile (voice, text messages, and app stores). Social Media (direct messages and marketplaces). Websites (including fraudulent ads and popups). Common data and/or property (e.g. currency) extraction methods are: Peer-to-peer payment service apps (Venmo, Zelle, Cash App...etc). WARNING, your money goes where ever you send it (including scammers). Wire transfers: transfer currency from one entity to another (account-to-account). WARNING, your money goes where ever you send it (including scammers). Cryptocurrency: 100% Scam. Light your money on fire for more value (reversing/recovering payment is virtually impossible). Store gift cards: Unverifiable way to use currency (online or in store). WARNING, scammers prefer gift cards as payment (reversing/recovering payment is virtually impossible). Source: Internet Crime Complaint Center (IC3) The Internet Crime Complaint Center, or IC3, is the Nation’s central hub for reporting cyber crime. It is run by the FBI, the lead federal agency for investigating cyber crime. Supporting Source: Federal Trade Commission: All Scams Source: Action Fraud, the national reporting centre for fraud and cybercrime. Action Fraud is the UK’s national reporting centre for fraud and cybercrime where you should report fraud if you have been scammed, defrauded or experienced cyber crime in England, Wales and Northern Ireland. Source: European Union Agency for Law Enforcement Cooperation If you have fallen victim to cybercrime, click on one of the links below to be redirected to the reporting website of your country. Reporting mechanisms vary from one country to another. In Member States which do not have a dedicated online option in place, you are advised to go to your local police station to lodge a complaint. Source: National Cybercrime and Fraud Reporting System. Reporting a scam or computer crime helps the Royal Canadian Mounted Police (RCMP), the National Cybercrime Coordination Unit (NC3) and the Canadian Anti-Fraud Centre (CAFC)Reporting a scam or computer crime helps the Royal Canadian Mounted Police (RCMP), the National Cybercrime Coordination Unit (NC3) and the Canadian Anti-Fraud Centre (CAFC) learn more about the nature of these incidents. The information you include in your report helps us follow cybercrime and fraud trends. We use this information to help protect more people from harm. It is the role of local police services to investigate. Source: Scams subreddit. Supporting Source: Common Scams and Crimes. The following are some of the most common scams and crimes that the FBI encounters, as well as tips to help prevent you from being victimized. Supporting Source: DuckDuckGo Search: Where do I report online scams? Source: Paypal: What's the difference between friends and family or goods and services payments? Additional Information. What is a "Data Breach"? A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. What is "Malware"? Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. What is a "Payload"? In the context of a computer virus or worm, the payload is the portion of the malware which performs malicious action; deleting data, sending spam or encrypting data. In addition to the payload, such malware also typically has overhead code aimed at simply spreading itself, or avoiding detection. What is "Phishing"? Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. Social engineering (security) In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. What is "Information Security" (InfoSec)? Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. Information Security Attributes: Confidentiality, Integrity and Availability (C.I.A.). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell administrators, users and operators how to use products to ensure information security within the organizations. What is "Risk management"? Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. What is a "Vulnerability" (computing)? Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. What is an "Attack Surface"? The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. What is an "Attack Vector"? In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. What is "Standardization"? Standardization is the process of implementing and developing technical standards based on the consensus of different parties that include firms, users, interest groups, standards organizations and governments. Standardization can help maximize compatibility, interoperability, safety, repeatability, or quality. It can also facilitate a normalization of formerly custom processes. List of computer standards. List of technical standard organizations. What is a "Replay attack"? A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. Another way of describing such an attack is: "an attack on a security protocol using a replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run." What is a "Man-in-the-middle attack"? In cryptography and computer security, a man-in-the-middle, ..., attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. What is "Transport Layer Security" (TLS)? Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. What is a "Handshake" (computing)?. In computing, a handshake is a signal between two devices or programs, used to, e.g., authenticate, coordinate. An example is the handshaking between a hypervisor and an application in a guest virtual machine. What is Security theater? The practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it. License: Creative Commons Attribution-ShareAlike 4.0 International This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam: ·         CISSP / Cybersecurity Integration – Data Communications ·         CISSP Training –  Implement Secure Communication Channels ·         CISSP Exam Question – Point to Point / OSI Layers BTW - Get access to all my Training Courses here at:  https://www.cisspcybertraining.com Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber CISSPCyberTraining.com - https://www.cisspcybertraining.com/ Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Quizlet https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/ Infosec Institute https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/communications-and-network-security/secure-communications-channels/#gref Wikipedia https://en.wikipedia.org/wiki/Trusted_computing_base https://en.wikipedia.org/wiki/SwIPe_(protocol) https://en.wikipedia.org/wiki/Transport_Layer_Security https://en.wikipedia.org/wiki/Secure_Electronic_Transaction Transcript: Hey y'all is Shon Garrigan was her new cyber risk I hope you're all having a wonderful day today It's a great day in Wichita Kansas A Heartland of America. Basically smack dab in the middle of the United States So yeah there's pretty flat here it's pretty hot here but it's July 8th. Hey just wanted to go over We're going to be talking about in our site. OSI CISSP cybersecurity integration. Data communications. And then on our CISSP training where to get into implement secure communication channels. And then in our exam question where to get to point to point, it's not from like point a to point B it's a different kind of point to point. And then the OSI layers. All right before we get started I want to just throw out a plug there for my C I S S P training that you can find on youtube.com. You can check it out there at a Shawn S H O N Gerber. And I have CIS. training CISSP certification trainGain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Welcome to program 115 of the Security box. Today, we talk about domains and SSL and plenty of news stuff too. The first hour and a half of the over 3 hour program is news related, check the blog for complete details on things or subscribe to the TSB list itself. Some of the stuff we talk about is already on the blog, others are not, but plan to be. As far as domains go, when we talked about Phishing we mentioned the fact that I published several resources on checking whether a domain exists and when it was registered and possibly by who. This was in reference to an article talking about Ian Phishing scams that might be out there now. Please be safe! Here are two resources: ICANN Lookup Who Is Lookup from Network Solutions There are other tools to look up domains, and we can't forget about the ICANN web site and their work to keep domains at least here in the states in good working order. Another thing we talked about but not in great detail is Transport Layer Security which SSL is now known as. We're providing the Wikipedia page as a reference since I didn't go in to a lot of detail on it. If people want me to, I can do that. If we've forgotten something that we should mention as part of this discussion, please send a note and let me know about it. There is always something to talk about in this space, and I can't think of everything, or think it may be too technical. You can always contact me through my web site and I thank each and every one of you for participating this week. See you next week!

Cloud Security News this week 17 November 2021 According to a research by Trend Micro, Elastic Computing Service (ECS) instances for Alibab Cloud are becoming an increasingly common target for financially motivated hackers with cryptomining goals. This increased targeting may be due to a few unique features of Alibaba Cloud. Alibaba ECS instances come with a preinstalled security agent and provides root access/ privileged control by default. There is a detailed article attached about this here JupiterOne (a Cyber Asset Management Platform ) and Cisco have announced the launch of Secure Cloud Insights, an expanded cloud security and security operations partnership designed to provide businesses with a range of cybersecurity services. This new solution is aimed at helping Cisco customers achieve a higher level of maturity with their digital transformation and security program. CEO of Jupiter One, Erkang Zheng calls it a game changing offering - that would provide increased visibility, efficiency, and speed to security operations, with combined context from situational awareness and structural data. We would be curious to know if you think the same. Those familiar with Palo Alto and their core cloud-security package, Prisma may be intrigued to know that they have launched Prisma 3.0. Truffle Security has released an open source hacking tools called Driftwood designed to discover leaked, paired private and public keys which may be harmful. Driftwood builds upon Truffle Hog and is available on Github. Truffle Security in their blog which is shared here. stated that With this tool they found the private keys for hundreds of Transport Layer Security certificates, and Secure Shell keys that would have allowed an attacker to compromise millions of endpoints/devices. The Federal government is going from a “Cloud First” to a “Cloud Smart” strategy to leverage cloud without compromising security. They quoted that “Cloud Smart is about equipping agencies with the tools and knowledge they need to make these decisions for themselves, rather than a one-size-fits-all approach.The shift will be from “buy before build” to “solve before buy,”. Under security they added that “Successfully managing cloud adoption risks requires collaboration” leaning into that shared responsibility model we hear often about with Cloud Security. The link to the document is here Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

Cloud Security News this week 17 November 2021 According to a research by Trend Micro, Elastic Computing Service (ECS) instances for Alibab Cloud are becoming an increasingly common target for financially motivated hackers with cryptomining goals. This increased targeting may be due to a few unique features of Alibaba Cloud. Alibaba ECS instances come with a preinstalled security agent and provides root access/ privileged control by default. There is a detailed article attached about this here JupiterOne (a Cyber Asset Management Platform ) and Cisco have announced the launch of Secure Cloud Insights, an expanded cloud security and security operations partnership designed to provide businesses with a range of cybersecurity services. This new solution is aimed at helping Cisco customers achieve a higher level of maturity with their digital transformation and security program. CEO of Jupiter One, Erkang Zheng calls it a game changing offering - that would provide increased visibility, efficiency, and speed to security operations, with combined context from situational awareness and structural data. We would be curious to know if you think the same. Those familiar with Palo Alto and their core cloud-security package, Prisma may be intrigued to know that they have launched Prisma 3.0. Truffle Security has released an open source hacking tools called Driftwood designed to discover leaked, paired private and public keys which may be harmful. Driftwood builds upon Truffle Hog and is available on Github. Truffle Security in their blog which is shared here. stated that With this tool they found the private keys for hundreds of Transport Layer Security certificates, and Secure Shell keys that would have allowed an attacker to compromise millions of endpoints/devices. The Federal government is going from a “Cloud First” to a “Cloud Smart” strategy to leverage cloud without compromising security. They quoted that “Cloud Smart is about equipping agencies with the tools and knowledge they need to make these decisions for themselves, rather than a one-size-fits-all approach.The shift will be from “buy before build” to “solve before buy,”. Under security they added that “Successfully managing cloud adoption risks requires collaboration” leaning into that shared responsibility model we hear often about with Cloud Security. The link to the document is here Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

https://abcdefghijklmnopqrstuvwxyz.us --- Send in a voice message: https://anchor.fm/ronald-j-legarski/message Support this podcast: https://anchor.fm/ronald-j-legarski/support

hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 25 today we are discussing about Security of Apps.How do you know the app you want to install is secure?How do you know it's not going to be spying on you?How do you know there's no malware embedded in it?Well, you don't.But the best way to ensure that you don't get those type of things is by installing applications from the official mobile stores only.If you're using an Android device,that's the Google Play store.If you're using an Iphone,that's going to be the App Store.Now, some people have taken their phones and done what's called jail breaking it or rooting it.On an Apple device,jail breaking it means you're going to remove the security protections that Apple has put in place so that you can take it from your wireless carrier to a different wireless carrier or install third party apps outside of the App Store.As you can probably guess,these are both bad security practices and should not be done.Now, we you have an Android device we don't call jail breaking it,we call it rooting it.The reason is because Android is at heart a Linux operating system.So if you root the device,you now have administrative permissions over it.And you can install whatever applications you want and make the phone do things that it wasn't necessarily designed to do.Again, making sure that you don't jail break or root your device is a good first step to ensuring you have a secure device.Next, you want to think about what browser and what applications you're actually running.For example, if you're using the Chrome browser,that's a fairly secure web browser.But if you decide to get a third party web browser,you don't know who it is that put that out there and if you can trust them.Maybe they're giving you this web browser but they're also taking a copy of all your data going through it.To avoid those type of issues,always get official applications when possible.And speaking of web browsers,one of the things you want to ensure is whenever browsing the web on your mobile device,you're always going to the secure version of a website.That's denoted by the https at the front of the web address.This ensures that you have a TLS tunnel created between your phone and the server.What's TLS?Well, it's Transport Layer Security.It's going to put a encryption layer and a tunnel between your device and the server to ensure you have confidentiality and nobody is conducting a man in the middle attack from you.Now as businesses, we are increasingly going mobile all of the time.An Enterprise Mobility has a couple of things that we need to think about when we talk about securing our apps as well.One of those, is making sure we have control over those devices and what apps are installed.If your organization is going to be providing the cellphone to its employees,you have the right to install mobile device management software. MDM or Mobile Device Management is a centralized software solution that allows your system administrators to create and enforce policies across all of the mobile devices.This can ensure that people don't install games like Angry Birds or they don't put a third party apps or that they could only go to certain websites.

Welcome to another episode of Develomentor. Today's guest is David Wong.David Wong is a security engineer working on the libra Blockchain at Facebook. He is an active contributor to internet standards like Transport Layer Security and to the applied cryptography research community. David is a recognized authority in the field of applied cryptography; he’s spoken at large security conferences like Black Hat and DEF CON and has delivered cryptography training sessions in the industry. He is the author of the soon-to-be-published Real-World Cryptography book.If you are enjoying our content please leave us a rating and review or consider supporting usA note from GrantIf you like math, secrets, privacy and cryptocurrency, today’s guest is right up your alley. David Wong is a security engineer currently working for Facebook, with deep expertise in blockchain and more generally cryptography. After earning his bachelor’s in Math and his masters in cryptography, David has worked for the likes of Matasano Security, NCC Group and now Facebook. In addition to his day job, David is the author of the upcoming Manning Publications book titled “Real-World Cryptography”, which you can purchase now in early access from manning.com.As always, we are doing a give away with this episode. For the first 5 people who email us here at hello@develomentor.com, we will give you a code good for one free ebook copy of David’s book. If you don’t want to email, you can use the discount code poddevmen20 for 40% of David’s book as well as all Manning books. Quotes“Cryptography started as a military thing in the beginning. But today everybody is using it without even know it. It all started with how we can hide communication from observers.”“Especially if you’re in tech, understand that if you have one offer you’re probably going to have several offers. It’s not true for every field but tech is hiring and we’re in a good position. Keep going, don’t be afraid to say no or to ask for more time to decide.”—David WongAdditional ResourcesDavid’s book – https://www.manning.com/books/real-world-cryptographyDavid’s blog – https://cryptologie.net/Course on how to learn on Coursera – https://www.coursera.org/learn/learning-how-to-learnAdditional ResourcesYou can find more resources in the show notesTo learn more about our podcast go to https://develomentor.com/To listen to previous episodes go to https://develomentor.com/blog/Connect with David WongLinkedInTwitterGitHubConnect with Grant IngersollLinkedInTwitterSupport the show (https://www.patreon.com/develomentor)

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. The literature on defensive security unanimously recognizes one fact: every so often, a tool comes out that provides blue teamers with an important advantage over their adversaries. This ever-elusive quest features essential requirements and commonalities, such as the ability to proactively seek and detect malicious hosts, or the capacity to swiftly respond to targeted network threats. And with a sharp rise in the number of incidents involving some form of malware or command and control (C2) activity resulting in data theft, vendors are in a tight race to gain their customers' trust—by leveraging newer alternatives to legacy solutions amidst shrinking budgets. In the spirit of searching and identifying malicious servers anywhere they can be found, the folks at Salesforce Engineering have recently released an open-source application called Jarm, which pivots on knowledge of Transport Layer Security (TLS) mechanisms to accomplish just that. This blog post will take you on a brief tour of Jarm to show you why we consider it a worthy addition to your Osint tools. TLS and Jarm TLS is the next evolutionary step from its early SSL (Secure Sockets Layer) ancestor. As its predecessor, the TLS assembly introduces its own version of a handshake process (Figure 1) by which cryptographic primitives, also known as cipher suites, are agreed to between client and server prior to any data exchange. It is precisely this cryptographic agility that gives TLS its multifaceted quality; covering a wide range of applications (e.g., web traffic) and providing critical services such as confidentiality and integrity. To understand how Jarm leverages certain TLS attributes, let's take a closer look at the protocol's initial connection sequence. Immediately following the TCP handshake, the client side sends a *ClientHello* message containing combinations of cryptographic algorithms supported (and preferred) by the caller, versioning details, extensions, a list of compression methods, and other session parameters in blocks of application data. In response, the server sends its own *ServerHello* message when a satisfactory set of algorithms has been confirmed—the packet is also formulated with the server's own version of the connection parameters used by the client. Subsequently, server and client proceed to verify each other's authenticity via digital certificates, after which both parties compute the premaster and master secrets used to derive session keys, any wrapper messages, and the remaining traffic tunneling structures. The TLS parameters offered in the *ClientHello* message contain several identifying properties that are directly related to the client application. These features include OS builds, packages, libraries, and even process attributions. This level of granularity is particularly helpful in building **fingerprints** with a high degree of accuracy that can be leveraged to identify the same application during future sessions. Similarly, TLS servers construct their *ServerHello* packets based on the *ClientHello* ones as well as their own subset of built-in identifiers such as: Operating system name and version. Server-side libraries. Other custom configurations. Once again, this symbiotic relationship between client and server *Hello* packets dictates the way in which servers uniquely respond to a specific application, providing an excellent opportunity for quick identification via fingerprinting. And this is where Jarm comes in. What is Jarm? As previously mentioned, Jarm is a **TLS server fingerprinting application** recently released as an open source project by the engineering group at Salesforce. The tool shares some similarities with a previous method of profiling TLS clients using JA3 signatures, released by the same team, which passively examines network traffic collecting fingerprints fro...

https://www.linkedin.com/in/david-wong-53170a4/ (David Wong) is a security engineer working on the https://libra.org/en-US/ (libra Blockchain) at Facebook. He is an active contributor to internet standards like Transport Layer Security and to the applied cryptography research community. David is a recognized authority in the field of applied cryptography; he’s spoken at large security conferences like Black Hat and https://def.camp/speaker/david-wong/ (DEF CON) and has delivered cryptography training sessions in the industry. He is the author of the soon-to-be-published https://www.manning.com/books/real-world-cryptography (Real-World Cryptography book). In this episode, we discuss why he focused on cryptography, the evolution of blockchain, his contributions to TLS, the Noise Protocol Framework, quantum computing, why he wrote a book on crypto, presenting and teaching cryptography, sanitizing data, and so much more! Where you can find David: https://www.linkedin.com/in/david-wong-53170a4/ (LinkedIn) https://twitter.com/cryptodavidw (Twitter) https://www.manning.com/books/real-world-cryptography (Real-Word Cryptography) https://www.cryptologie.net/ (Cryptologie.net) https://noiseprotocol.org/ (Noiseprotocol.org)

TLS 1.3 has been widely praised as a major upgrade to the Transport Layer Security protocol responsible for securing the majority of Web traffic. But one area in which TLS 1.3 seems to be lacking is its potential for resistance to attacks that utilize quantum computing – computers that, theoretically, could factor the products of large primes and solve the discrete logarithm problem in relatively short periods of time, significantly affecting the security of TLS 1.3. Today however, we’re discussing an interesting new paper, to be published at this year’s ACM CCS, which introduces KEMTLS: a modified version of TLS 1.3 that uses Key Encapsulation Mechanisms, or KEMs, instead of signatures for server authentication, thereby providing a sort of “post-quantum TLS”. But what even are KEMs? Are quantum computers even a thing that we should be worried about? On the first ever episode of Cryptography FM, we’ll be hosting Dr. Douglas Stebila and PhD Candidate Thom Wiggers to discuss these questions and more. Dr. Douglas Stebila is an Associate Professor of cryptography in the Department of Combinatorics & Optimization at the University of Waterloo in Waterloo, Ontario, Canada. His research focuses on improving the security of key exchange protocols and Internet cryptography protocols such as TLS and SSH, including the development of quantum-resistant solutions. His previous work on the integration of elliptic curve cryptography in TLS has been deployed on hundreds of millions of web browsers and servers worldwide. Thom Wiggers is a PhD Candidate at the Institute of Computing and Information Sciences at Radboud University in The Netherlands. He is working on the interactions of post-quantum cryptography with protocols, under the supervision of Dr. Peter Schwabe, who is also a co-author of the research work that we’re going to discuss today. Links to discussed papers: * Post-quantum TLS without handshake signatures (https://eprint.iacr.org/2020/534) * Big Other: Surveillance Capitalism and the Prospects of an Information Civilization (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754) * Supersingular isogeny key exchange for beginners (https://eprint.iacr.org/2019/1321) * Clone Detection in Secure Messaging: Improving Post-Compromise Security in Practice (https://cispa.saarland/group/cremers/downloads/papers/CFKN2020-messaging_cloning.pdf) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Douglas Stebila and Thom Wiggers.

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips and which is independent of the application-layer protocols. It is needed by secure HTTP/2 connections, which improves the compression of web pages and reduces their latency compared to HTTP/1.x. The ALPN and HTTP/2 standards emerged from development work done by Google on the now withdrawn SPDY protocol. https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation 1:30 TCP Handshake 1:40 TLS --- Send in a voice message: https://anchor.fm/hnasr/message

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

HAL9000 voice options, Cisco Registered Envelope Service vs Transport Layer Security, twistronics (stacking 2D materials), password creation trick, reporting stolen Facebook photos, Move to iOS App (tranfers data from Android), Profiles in IT (Rasmus Lerdorf, creator of PHP scripting language), Observations from the Bunker, cell phone videos have changed the world (for the better), Dumb Idea of the Week (AntiPowerPoint Party), facial recogition in the crosshairs (Amazon, Microsoft, IBM take action), and Section 230 of the Communications Decency Act (needs revision). This show originally aired on Saturday, June 13, 2020, at 9:00 AM EST on WFED (1500 AM).

HAL9000 voice options, Cisco Registered Envelope Service vs Transport Layer Security, twistronics (stacking 2D materials), password creation trick, reporting stolen Facebook photos, Move to iOS App (tranfers data from Android), Profiles in IT (Rasmus Lerdorf, creator of PHP scripting language), Observations from the Bunker, cell phone videos have changed the world (for the better), Dumb Idea of the Week (AntiPowerPoint Party), facial recogition in the crosshairs (Amazon, Microsoft, IBM take action), and Section 230 of the Communications Decency Act (needs revision). This show originally aired on Saturday, June 13, 2020, at 9:00 AM EST on WFED (1500 AM).

Let's talk about digital identity with Dean Coclin, Senior Director, Business Development at DigiCert. In episode 18, Oscar is joined by Dean Coclin, representing the world's largest public Certificate Authority (CA) – DigiCert. The conversation decodes exactly what a CA does and its critical role in Public Key Infrastructure (PKI). Listen in on DigiCert's view of, and role in, digital identity with relation to Transport Layer Security (TLS) and Extended Validation (EV) certificates, the Internet of Things (IoT) and Legal Entity Identifiers (LEIs). LEIs are the 20-digit alphanumeric codes identifying unique global legal entities. Ubisecure is the fastest growing LEI issuer globally through its RapidLEI service. DigiCert announced a partnership with Ubisecure in December 2019, collaborating to extend the use of LEIs for multiple types of digital certificate-based use cases. Read the press release here - ubisecure.com/news-events/digicert-ubisecure-partnership-legal-entity-identifier-organization-identity-solutions. Dean also fills us in on the CA/Browser Forum and the ASC X9 PKI Study Group, which he chairs. "What good is encryption if we don't know who we are encrypting to?" Dean Coclin brings more than 30 years of business development and product management experience in software, security and telecommunications.  As Senior Director of Business Development at DigiCert, he is responsible for representing the company in industry consortia and driving the company's strategic alliances with technology partners. Mr. Coclin is also the past Chair of the CA/Browser Forum and the CA Security Council. Currently he chairs the ASC X9 PKI Study Group. Previously Mr. Coclin worked at Symantec’s Website Security business unit before it was sold to DigiCert and was one of the founders of ChosenSecurity, an Internet security firm which was sold to PGP Corporation in February 2010. PGP was subsequently acquired by Symantec in June 2010. Prior to this, Mr. Coclin was Director of Business Development at GeoTrust which was sold to Verisign in 2006. He holds a BSEE and MS from The George Washington University and an MBA from Babson College. Follow Dean on Twitter @chosensecurity and find his articles on the DigiCert blog at digicert.com/blog. For more information on DigiCert, visit its website - digicert.com – and follow the CA/Browser Forum at cabforum.org. We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/empowered-working-together-to-pile-on-the-cyber-guilt/) We can all be more secure if we work together as a team to shame those who don't agree with how we approach security. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Chris Hatter, CISO, Nielsen. On this week's episode Mike's confused. Let's help him out. Mike inspired this brand new segment with his question to the LinkedIn community, asking what's the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we've been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G. Does shaming improve security? Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin's "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO. What's Worse?! A grand financial decision in this scenario. Is this the best solution? According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?   With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format. Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight. This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least. More from our sponsor ExtraHop. Close your eyes. Breathe in. It’s time for a little security philosophy. Simon Goldsmith, adidas, said, "I’ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."

OpenBSD on 7th gen Thinkpad X1 Carbon, how to install FreeBSD on a MacBook, Kernel portion of in-kernel TLS (KTLS), Boot Environments on DragonflyBSD, Project Trident Updates, vBSDcon schedule, and more. Headlines OpenBSD on the Thinkpad X1 Carbon 7th Gen (https://jcs.org/2019/08/14/x1c7) Another year, another ThinkPad X1 Carbon, this time with a Dolby Atmos sound system and a smaller battery. The seventh generation X1 Carbon isn't much different than the fifth and sixth generations. I opted for the non-vPro Core i5-8265U, 16Gb of RAM, a 512Gb NVMe SSD, and a matte non-touch WQHD display at ~300 nits. A brighter 500-nit 4k display is available, though early reports indicated it severely impacts battery life. Gone are the microSD card slot on the back and 1mm of overall thickness (from 15.95mm to 14.95mm), but also 6Whr of battery (down to 51Whr) and a little bit of travel in the keyboard and TrackPoint buttons. I still very much like the feel of both of them, so kudos to Lenovo for not going too far down the Apple route of sacrificing performance and usability just for a thinner profile. On my fifth generation X1 Carbon, I used a vinyl plotter to cut out stickers to cover the webcam, "X1 Carbon" branding from the bottom of the display, the power button LED, and the "ThinkPad" branding from the lower part of the keyboard deck. See link for the rest of the article How To Install FreeBSD On A MacBook 1,1 or 2,1 (http://lexploit.com/freebsdmacbook1-1-2-1/) FreeBSD Setup For MacBook 1,1 and 2,1 FreeBSD with some additional setup can be installed on a MacBook 1,1 or 2,1. This article covers how to do so with FreeBSD 10-12. Installing FreeBSD can be installed as the only OS on your MacBook if desired. What you should have is: A Mac OS X 10.4.6-10.7.5 installer. Unofficial versions modified for these MacBooks such as 10.8 also work. A blank CD or DVD to burn the FreeBSD image to. Discs simply work best with these older MacBooks. An ISO file of FreeBSD for x86. The AMD64 ISO does not boot due to the 32 bit EFI of these MacBooks. Burn the ISO file to the blank CD or DVD. Once done, make sure it's in your MacBook and then power off the MacBook. Turn it on, and hold down the c key until the FreeBSD disc boots. See link for the rest of the guide News Roundup Patch for review: Kernel portion of in-kernel TLS (KTLS) (https://svnweb.freebsd.org/base?view=revision&revision=351522) One of the projects I have been working on for the past several months in conjunction with several other folks is upstreaming work from Netflix to handle some aspects of Transport Layer Security (TLS) in the kernel. In particular, this lets a web server use sendfile() to send static content on HTTPS connections. There is a lot more detail in the review itself, so I will spare pasting a big wall of text here. However, I have posted the patch to add the kernel-side of KTLS for review at the URL below. KTLS also requires other patches to OpenSSL and nginx, but this review is only for the kernel bits. Patches and reviews for the other bits will follow later. https://reviews.freebsd.org/D21277 DragonFly Boot Enviroments (https://github.com/newnix/dfbeadm) This is a tool inspired by the beadm utility for FreeBSD/Illumos systems that creates and manages ZFS boot environments. This utility in contrast is written from the ground up in C, this should provide better performance, integration, and extensibility than the POSIX sh and awk script it was inspired by. During the time this project has been worked on, beadm has been superseded by bectl on FreeBSD. After hammering out some of the outstanding internal logic issues, I might look at providing a similar interface to the command as bectl. See link for the rest of the details Project Trident Updates 19.08 Available (https://project-trident.org/post/2019-08-15_19.08_available/) This is a general package update to the CURRENT release repository based upon TrueOS 19.08. Legacy boot ISO functional again This update includes the FreeBSD fixes for the “vesa” graphics driver for legacy-boot systems. The system can once again be installed on legacy-boot systems. PACKAGE CHANGES FROM 19.07-U1 New Packages: 154 Deleted Packages: 394 Updated Packages: 4926 12-U3 Available (https://project-trident.org/post/2019-08-22_stable12-u3_available/) This is the third general package update to the STABLE release repository based upon TrueOS 12-Stable. PACKAGE CHANGES FROM STABLE 12-U2 New Packages: 105 Deleted Packages: 386 Updated Packages: 1046 vBSDcon (https://www.vbsdcon.com/schedule/) vBSDcon 2019 will return to the Hyatt Regency in Reston, VA on September 5-7 2019. *** Beastie Bits The next NYCBUG meeting will be Sept 4 @ 18:45 (https://www.nycbug.org/index?action=view&id=10671) Feedback/Questions Tom - Questions (http://dpaste.com/1AXXK7G#wrap) Michael - dfbeadm (http://dpaste.com/0PNEDYT#wrap) Bostjan - Questions (http://dpaste.com/1N7T7BR#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

In episode 74 of Mobycast, we continue with part two of our series on encryption. In particular, we'll discuss Transport Layer Security in practice. Welcome to Mobycast, a weekly conversation about cloud-native development, AWS, and building distributed systems.

In episode 74 of Mobycast, we continue with part two of our series on encryption. In particular, we'll discuss Transport Layer Security in practice. Welcome to Mobycast, a weekly conversation about cloud-native development, AWS, and building distributed systems.

Description: Shon Gerber from ReduceCyberRisk.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam:   CISSP / Cybersecurity Integration – Data Communications CISSP Training –  Implement Secure Communication Channels CISSP Exam Question – Point to Point / OSI Layers   BTW - Get access to all my CISSP Training Courses here at:  http://reducecyberrisk.com/cissp-training/ Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber ReduceCyberRisk.com - https://reducecyberrisk.com/ Facebook - https://www.facebook.com/CyberRiskReduced/   LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Quizlet https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/ Infosec Institute https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/communications-and-network-security/secure-communications-channels/#gref Wikipedia https://en.wikipedia.org/wiki/Trusted_computing_base https://en.wikipedia.org/wiki/SwIPe_(protocol) https://en.wikipedia.org/wiki/Transport_Layer_Security https://en.wikipedia.org/wiki/Secure_Electronic_Transaction

In this episode of AWS TechChat, TechChat turns 50 and Shane and Pete come at you with a raft of short sharp and important updates that occurred in June, in the year 2019. They started the show, introducing you to a new service that has gone GA - AWS IoT Events. AWS IoT Events is a new, fully managed IoT service that makes it easy to detect and respond to events from IoT sensors and applications without the traditional heavy lifting of building traditional IoT applications and brings a managed complex event detection service to our already buff IoT suit. Sticking with IoT theme, we quickly announced BLE (Bluetooth Low Energy) support has landed in Amazon FreeRTOS, and a new MQTT library is now generally available in Amazon FreeRTOS 201906.00. With this update, you can now securely connect Amazon FreeRTOS devices using BLE to AWS IoT via Android and iOS devices, and use the new MQTT library to create applications that are independent of the connectivity protocol. We then spoke about two new features for Microsoft SQL. Always On Availability Groups have made their way to SQL Server 2017 Enterprise Edition and we let you know you can now restore a multi-file native SQL Server backup from Amazon S3 to an Amazon RDS SQL Server database instance. Amazon Elastic Container Service (ECS) for Windows containers has gone GA so prepare your BSODs, only kidding. We now support Amazon ECS clusters running Windows Server 2019 containers, so if Windows containers are your thing, take a look at Amazon ECS. Lastly, with Amazon API Gateway custom domains, you can now enforce a minimum Transport Layer Security (TLS) version and cipher suites through a security policy allowing you to further improve security for your customers. Resources: • AWS IoT Events https://aws.amazon.com/iot-events/ • Amazon FreeRTOS Bluetooth Low Energy https://aws.amazon.com/blogs/iot/perform-ota-firmware-updates-on-espressif-esp32-devices-using-amazon-freertos-bluetooth-low-energy-mqtt-proxy/ • Amazon RDS SQL Server https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-rds-for-sql-server-now-supports-always-on-availability-groups-for-sql-server-2017/ • Amazon Elastic Container Service (ECS) for Windows containers https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_Windows.html • Amazon API Gateway – TLS https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-api-gateway-adds-configurable-transport-layer-security-version-custom-domains/

Widespread adoption of the web encryption scheme HTTPS has added a lot of green padlocks—and corresponding data protection—to the web. Almost all of the popular sites you visit every day likely offer this defense, called Transport Layer Security (TLS), which encrypts data between your browser and the web servers it communicates with to protect your travel plans, passwords, and embarrassing Google searches from prying eyes.

The push to encrypt traffic throughout the web has resulted in safer and more secure browsing across millions of sites. But not everywhere uses the so-called Transport Layer Security that keeps HTTPS-enabled sites safe from prying eyes. Including, it turns out, Apple's iTunes and iOS App Store infrastructure, which runs its downloads over unencrypted connections. Typically you can tell when a website uses HTTPS encryption by the little green padlock on the left side of the URL bar.

John Prisco, president, and CEO of Quantum Xchange (quantumxc.com), provides a very detailed overview and analysis of the ever-changing data security industry, and how quantum computers are forcing every business and government agency to rethink how they send and receive sensitive data. Quantum Xchange provides impeccable defense to commercial enterprises and government agencies that seek to keep their high-value assets safe and secure currently, and on into the future. As quantum computers will significantly change how organizations secure their most sensitive data, Quantum Xchange will continue to be a sought-after partner for any entity that requires the most premium security. John Prisco has over 30 years of solid experience in the areas of cybersecurity, telecommunications, and quantum physics. He has championed successful revenue growth and provided quality leadership and management to a multitude of companies such as Triumfant, GeoVantage, and Ridgeway Systems. Prisco is devoted to Quantum Xchange's mission, and its valued customers, partners, investors, and the many quality employees who have helped make Quantum Xchange the gold standard in data security.  Prisco discusses how his company is a respected provider of unbreakable quantum keys and secure communications, and how they are enabling organizations to send unbreakable data over any distance utilizing the laws of quantum physics. He elaborates on quantum key distribution, which is a secure communication process that implements a cryptographic protocol involving components of quantum mechanics. Via quantum key distribution, two parties can produce a shared random secret key known only to them, which can be used to encrypt and decrypt messages. As Prisco explains, the keys will change their state if an unauthorized party were to attempt to eavesdrop on them. Anything intercepted will be completely unusable by the breaching party and will not unencrypt any of the secure data whatsoever. The security expert gives a thorough analysis of the process that parties use to decide upon their encryption, as he details the transmission of photons, overall security, and the classification known as teleportation.  Prisco discusses the future of computing and progress that has been made in a relatively short time, and what advances are on the horizon. Large prime numbers that form the structure and base of today's public-private key encryption protocols, Secure Socket Layer (SSL) and Transport Layer Security (TLS) will be easily and quickly factored by quantum computers and will leave mission-critical data exposed, and very much at risk.  Prisco states that with their system, even one photon that is tampered with will be evident to the end user. He explains quantum random number generators that work on photonic principles and provides an in-depth analysis of the wave nature of light that impacts the security of data in the process. Further, the data security executive discusses the future of data security and how his company, Quantum Xchange, will continue to address the shortcomings inherent with modern-day encryption.

This week, we discuss a new flaw affecting Intel processors, a $13.5 million cyber attack on an Indian bank, the release of version 1.3 of the Transport Layer Security protocol and the highlights from this month's Microsoft patches.

Guest: Shawn Hooper What He Does: Shawn has worked as a computer programmer for most of his life, and is currently the Director of IT for Actionable Books — His job entails developing all of the internal tools for their staff. He is also a WordPress core contributor. Ponderance: How do SSL certificates and HTTPS help to secure websites? Find him online: shawnhooper.ca In today’s episode, Shawn joins Avery to talk about issues of HTTPS and SSL Certification. During this discussion, Shawn explains some of the technicalities of these things, and puts them in a practical framework that listeners can apply to their own websites.   Key Takeaways: [2:50] SSL stands for Secure Sockets Layer — this is actually an old protocol, and the new one is called Transport Layer Security, or TLS. SSL/TLS are cryptographic protocols that ensure that the data between your computer, and the computer that you’re getting data from, is encrypted for both sources. [4:50] HTTPS is a secure version of the HTTP protocol. This protocol is the standard that defines how a web browser and a web server exchange data. This covers permissions to request a page, how the server responds to that request, and how it handles errors. It requires an additional layer of security, so it’s HTTP over SSL. [6:30] In your web browser, when you look at the address bar, if it is secure you will see a little padlock. This means you are using https and the connection between you and the site is secure. The URL will also start with https, rather than http. [7:55] Web browsers are starting to call the attention of website owners and the visitors to websites to being more aware of security and to enable https to the websites we visit. The “not secure notice” shows up on pages where there is a form that requires a password or perhaps credit card information that is not secured with HTTPS. [10:05] Another type of warning could come on a page that is HTTPS, but isn’t fully secure. This is a sign of a broken implementation — it might be represented by a broken padlock or an i with a circle around it. [11:54] In addition to security, the biggest benefit of switching to HTTPS and having a secure site will help increase the trust between your customers and you. If they trust you, they are more likely to interact with the site much more easily. In some cases, having a SSL/HTTPS encrypted website is a requirement. This is required if you accept credit card data. Google will also give a slight increase in ranking to sites that are HTTPS. [14:05] To implement SSL/HTTPS, you need buy a certificate that will act as a “handshake” between your computer and the web server. This certificate identifies your server as being you, and allows your visitors’ browsers to recognize your website. There are three different types of certificates available: 1) domain-validated certificate, 2) organization-validated certificate, and 3) extended-validation certificate. From a technical standpoint from what they do, they all encrypt the same way. It is from a trust standpoint where they differ. [18:23] In terms of cost, you could get a domain-validated certificate for free. An organization called Let’s Encrypt offers free SSL certificates. Many web-hosting companies are building Let’s Encrypt right into their web offerings. A certificate from Let’s Encrypt expires after 90 days, rather than a year like most other SSL certificates, but it can be auto-renewed. This option is a great solution for those who want a little boost of trust but don’t necessarily need the higher-end validation of who you are. [20:48] If your web host doesn’t support Let’s Encrypt, you can get domain-validated certificates from a certificate authority for a couple of dollars a year. The other two types of certificates are more expensive. [22:19] Some factors that might affect the cost of your certificates: A wildcard certificate will allow you to secure a domain name and all of its host names in a single certificate. There is usually a premium that may increase the price. Along with this, Shawn and Avery discuss the probability of websites not using the “www.” domains. [25:20] As a non-technical person, should you reach out for technical help or can you do this? Shawn recommends contacting tech support for your web host or your web developer and see what the process is to determine what’s the best way to proceed. [26:13] Shawn talks through the process of putting an SSL Certificate on your website. A CSR (certificate signing request) is created by the web server that identifies it as the web server. This is submitted to the certificate authority, and you get a certificate that matches the CSR. Then these have to be connected together. [27:51] Once you set up the certificate, your website should be encrypted. To make sure, you can go to your HTTP website and see if it’s being redirected to the secure HTTPS version. You may have to change a setting to ensure your website is running the HTTPS. If you are still getting warnings, an element on the page may not be being transmitting using HTTPS. To be considered fully secure, each element must be changed to HTTPS. Shawn and Avery discuss some different situations of what could be causing mixed content warning. [33:30] Practical tips: Get in touch with your hosting company and try and get them to put the SSL certificate on your website for you. If you still getting the mixed content warning, then you may need to bring in a web professional. [36:14] It is important to make sure that we are doing as much as we possibly can to be secure on our computers and on our websites, and this level of encryption is just one extra step for your protection. It is much easier now than it was in the past.   Episode Highlights: Term Definitions: SSL and TLS Term Definitions: HTTPS URLs in specific Web Browsers Notices of Security Pros of switching websites to HTTPS How to Implement SSL and https to your website Purchasing an SSL Certificate Three types of certificates Price of certificates Resources for Obtaining Certificates Process of putting a SSL certificate on your website Mixed Content Warnings   Resources: Camp Tech Podcast Episode 1 Actionable Books Let’s Encrypt SSLs.com Camp Tech Website

It's time to go down the rabbit hole of networking to investigate the ins and outs of Transport Layer Security (TLS) and how it impacts your apps. James walks Frank through his latest issues with APIs requiring TLS 1.2+ and how he was able to debug the situation at 4:30am to get a new release of his app. We attempt to make networking fun as we dive through HTTP Headers and general connectivity tips and tricks. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Music : Amethyst Seer - Citrine by Adventureface

It's time to go down the rabbit hole of networking to investigate the ins and outs of Transport Layer Security (TLS) and how it impacts your apps. James walks Frank through his latest issues with APIs requiring TLS 1.2+ and how he was able to debug the situation at 4:30am to get a new release of his app. We attempt to make networking fun as we dive through HTTP Headers and general connectivity tips and tricks. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Music : Amethyst Seer - Citrine by Adventureface

I dag skal jeg snakke om Skype For Business. Skype For Business er lidt lige som OneDrive For Business. Det er et produkt der har skiftet navn nogle gange de sidste 5 år. Først hed Communicator, eller Office Communicator. Så hed det Lync og nu hedder det Skype For Business. Jeg er lidt bange for at det er marketingsafdelingen i Microsoft der forsøger at blande nogle brandingnavne sammen for at se om det giver en mere genkendelig effekt. De har sikkert haft nogle fokusgrupper til at fortælle dem at det giver god mening. Desværre er min mening at det forvirrer mere end det gavner. Ligesom med Onedrive For Business, så har Skype For Business ikke ret meget med Skype at gøre. Og så alligevel lidt mere end først antaget. Jeg stiller dem lige op og sammenligner lidt. Login på SkypeFB er det samme som dit Office 365 login. Har du ADFS sat op, ja så er dit Office365 login så det samme som dit AD-login, hvilket vil sige at når du er logget på din computer er du logget på Office365 og Skype FB. Den åbenlyse fordel er selvfølgelig at med Skype For Business kan du snakke sammen med folk der "kun" er på almindelig Skype. Der er nogle begrænsninger når du krydser Business med almindelig skype. F.eks. har jeg oplevet en del problemer med at dele indhold på tværs af platformene. Og jeg har også oplevet en del problemer, hvis du skal lave en kald med f.eks. 3 brugere og den ene er almindelig skype. Så virke det ikke rigtig. Men normalt en-til-en samtaler, fungere rigtig fint på tværs af platformene. Det er også en ret ny ting, så jeg er sikker på at der er nogle krøller hist og her der skal rettes ud, før Microsoft får det til at være en problemfri oplevelse. Jeg vil sige at jeg bruger selv begge programmer, da jeg er tvunget til at bruge almindelig Skype nogle få gange om måneden. Men ellers så er min Skype Bor Business min primære kommunikationsplatform ud over telefon og e-mail. Skype For Business snakker sammen med din Office 365 (Hvis man lige regner med at det er der du har den, man kan nemlig også får sin egen Skype For Business server og installere den lokalt og så få den til at snakke sammen med sin lokale Exchange og SharePoint). Sidespor.. Men den snakker sammen med din Office 365 på den måde at hvis du f.eks. har booket en masse ting i din outlook kalender, så læser SkypeFB din kalender og sætter automatisk din status herefter. Hvis du er i gang med at brose rundt på SharePoint og ser hvem der har uploadet et dokument, så kan du med det samme se deres status direkte i SharePoint og hvis du klikker på det rød/gul/grønne ikon, ud for deres navn, så kan du også se hvornår denne person er ledig eller hvornår personens næste møde er. Kort sagt den kigger også i kalenderen på den valgte person, inde fra SharePoint. På den måde er Skype For Business integreret i Office 365, ved at den holder øje med alles kalendre og derefter angiver deres status, enten i skype eller på din kontaktliste. Med SkypeFB kan du f.eks. også optage dine møder. Også video hvis du deler indhold. Så hvis du holder et møde, så kan du lige optage mødet og når det er færdigt, så kan du sende optagelsen til deltagerne. Skal du lave referater af møder, er det altid nemmere at se videoen efterfølgende for at være sikker på du har fanget alt korrekt, eller se efter om du har forstået det hele som det var ment. Med SkypeFB kan du planlægge møder, direkte fra Outlook. Hvis du f.eks. planlægger et onlinemøde, så får du et virtuelt møderum, hvor du på forhånd kan uploade dokumenter og powerpoint, mødedeltagerne kan downloade. Når mødet starter, kan du have en lobby folk skal igennem, før de får adgang til mødet. Det kan være en rigtig god ting, hvis det er et offentligt møde, hvor du har lagt linket til mødedeltagelsen på dit website. Det kan også være det er et lukket møde og så du bare skal bruge det virtuelle møderum til at præsentere et produkt for nogle potentielle købere. Så er det rart at kunne uploade en powerpoint og derefter sætte den i gang på deltagernes skærm, og samtidig optage din præsentation, samt deltagernes spørgsmål. Så kan man meget nemmere evaluere efterfølglende. Du kan selvfølgelig også tillade eller forbyde ekstern kontakt med din SkypeFB, så du kan have partnere, kunder osv. på din kontaktliste og de kan se din status. Du kan selv vælge om de skal have adgang til alle detaljer i din kalender, eller om de bare skal kunne se om du er optaget eller ledig. Når du åbner for ekstern kommunikation, kan du dog angive et eller flere domæner som skal blokeres. Det kan f.eks. være hvis du ikke er interesseret i at dine medarbejdere snakker eller bliver kontaktet af konkurrenten, eller andre domæner. Skal du nu kontakte nogle personer der IKKE har SkypeFB eller almindelig skype, så har de den mulighed at når de modtager invitationen, så kan de bruge en webklient til at følge med i indholdet. Har du mod på det og har en organisation der har behovet, så kan du koble SkypeFB sammen med en telefonservice, der tillader at man ringer ind til det enkelte SkypeFB møde. Så man på den måde kan deltage via telefon. Det er rigtig givtigt hvis man f.eks. allerede har en masse mødetelefoner sat op i sin organisation. Ud over de her ting så er al kommunikation til og fra SkypeFB krypteret. P.T. er krypteringen 256 bit, hvilket skulle være rigeligt til at holde diverse medlyttere fra det du enten skriver, snakker eller deler. Så indtil videre med Skype FB kan du: Integreret login Snakke med alle Skype brugere Bruge både Skype og SkypeFB på samme maskine Skifte status automatisk ud fra din Outlook kalender og se det i outlook, sharepoint og selvf. skype Optage dine møder Planlægge møder med materiale der kan downloades af deltagerne Låse SkypeFB af til udelukkende intern brug eller åbne for fri kommunikation, samtidig med at enkelte domæner blokeres Ringe ind til et møde Krypteret kommunikation i både tale, tekst og visuel, via TLS (Transport Layer Security) SHA-256. Del skrivebord og overtag styring af andres skrivebord (integreret supportfunktion) Gem din chathistorik automatisk i Outlook (dvs. din Exchange konto) Hvor meget af disse ting kan du så med en almindelig Skype? Selvstændigt login der ikke hænger sammen med dit AD eller Office 365. Dvs. endnu et brugernavn og apssword der skal huskes. Du kan snakke med Skypebrugere og SkypeFB brugere Du kan ikke skifte status automatisk Du kan ikke se status i Outlook eller SharePoint Du kan optage dine samtaler men det kræver 3. parts programmer. Du kan ikke planlægge møder og du kan ikke have op til 250 deltagere i samme møde. Du kan dog have op til 25 på det samme kald. Du kan ikke låse dine medarbejderes kommunikation til kun at være intern eller til at blokere uønsket domæner Du kan ringe til en anden skypebruger fra din telefon, hvis de har SkypeOut. Men spørg mig ikke om det virker godt eller skidt. Har aldrig prøvet det. Kommunikationen er vist også krypteret men kun Skype til Skype og bruger AES 265 bit kryptering, ikke TLS. Jeg er ikke sikkerhedsekspert, men TLS, skulle være et lag dybere så det er selve forbindelsen der er krypteret og ikke kun indholdet ovenpå forbindelsen. Har du Office 365, så er det blot et spørgsmål om at sætte din DNS rigtigt op og så installere Skype FB. Så får du en seriøs forretningsorienteret kommunikationsplatform. Men den skal bare lige sættes op. Primært  er det SkypeFB (tidligere kaldet Lync) designet til kommunikation med andre SkypeFB klienter. Kommunikation og integreret "free/busy" information. Men sådan er det med alle online kommunikationsmidler. De er aldrig 100% stabile. Skype går ned, mobilnettet har ikke dækning overalt og wifi'en svigter. Det er alt sammen en del af vores teknologiske hverdag og den er ikke perfekt. Men den bliver bedre hele tiden. Og specielt online kommunikationsværktøjer som Skype og Skype for Business. Deres oppetider, lydkvalitet og funktionalitet bliver bedre og bedre. Og infrastrukturen der skal understøtte HD-lyd, billede og video bliver også mere og mere stabil.Vil du læse mere om Skype For Business og de enkelte planer så kan du finde et link til Microsofts side: https://products.office.com/en-us/skype-for-business/compare-plans Er du interesseret i sikkerheden omkring SkypeFB så kan du læse mere her: https://technet.microsoft.com/en-us/library/skype-for-business-online-security-and-archiving.aspx TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security

In this episode we discuss Salesforce reaching 1 million volunteer hours, Office 365, IBM's 7nm chip, jQuery 3.0, TideKit shutting down, Heroku Connect, Apex Metadata API support, improvements to the Salesforce Developer Docs portal, Salesforce Shield, Microsoft Cortana Analytics, Workday acquires Upshot, developer productivity, makers schedules vs. managers schedules, and .Net support for TLS 1.2.#SwearJar | @jeremyross (2) | @johndesantiago (1)Salesforce Hits 1 Million Volunteer Hours!Office 2016 for Mac Now Works Just as Well as It Does on WindowsYou won't buy IBM's 7nm chip, but it's a big deal for computingjQuery 3.0 and jQuery Compat 3.0 Alpha Versions ReleasedHow Much It Costs to Check Bags on Nine Major U.S. AirlinesHeroku Connect: Now with Free Salesforce API CallsIdea of the Week: Ability to update Metadata from Apex (Apex Metadata API)Salesforce Launches Salesforce ShieldMore Improvements to the Developer Docs PortalSuperstar-backed Rescale nets $6.4 million to build a better engineering cloudCortana Analytics SuiteWorkday acqu-hires Upshot, the startup that won controversial $1M Salesforce hackathon prizeHow to destroy Programmer ProductivityMaker's Schedule, Manager's Schedule.Net SslProtocols EnumerationTransportLayerSecurity#TLS_handshake

Diese Session soll die Grundlagen der Transport Layer Security im Allgemeinen und NSURLConnection im besonderen auffrischen, und fortgeschrittene Techniken bei der Verwendung von NSURLConnection zeigen Dazu werden mögliche Fehler und ihre Folgen durch einen live Man-In-The-Middle Attack verdeutlicht. Session 3, Samstag, Großer Saal, Macoun 2013

Proponemos utilizar HTTPS en todas partes. No hay excusa para no hacerlo. http://podcast.jcea.es/podcastz/1 Notas: 00:25: Navegar por WIFIs abiertas compromete nuestra seguridad. 01:07: La solución es utilizar cifrado. ¿Qué es cifrar?. ¿Cómo funciona el cifrado?. 02:45: Entidades de certificación. 05:00: Las entidades de certificación no son nada especial ni mágico. 06:50: La verificación de identidad de la mayoría de las entidades de certificación no es confiable. 09:25: Certificados autofirmados. 13:25: Ataque "Man-in-the-Middle". 16:20: Es preferible cifrar a no cifrar. Al menos estamos protegidos ante ataques pasivos. 18:30: SNI: "Server Name Indication". 22:32: Problemas con SNI y Microsoft Windows XP, a menos que se use un navegador como Mozilla Firefox, que utiliza su propia librería criptográfica. También hay problemas menores con librerías en algunos lenguajes de programación. 25:15: ¿Problemas de rendimiento?. ¡NO!. Repasamos CPU, latencia, ancho de banda y caché de navegadores. 32:00: ¿DNSSEC como sistema de certificación alternativo?. 36:39: Fé de erratas.

Was man weiss, und doch nicht kennt. In dieser Folge geht es um einen der ältesten und zugleich populärsten Dienst im Internet, um die elektronische Post, kurz E-Mail. Begleite uns und unsere E-Mail auf der Reise vom Absender, vorbei an Mailservern, Spamfiltern und Virencheckern bis zum Mailprogramm des Empfaengers, und erfahre dabei viele interessante Details über Kopfzeilen, Datenprotokolle und andere sonst verborgene Dinge rund um den Nachrichtenaustausch im Internet. Trackliste D+O – Zensursula Borrachos – Pornostar 7ieben – Sonntags Freibeuter AG – Partytime MZMK – Krzyk Nächste Sendung: 5. September 2009, 19:00 Uhr E-Mail Weg :: Der Weg einer E-Mail von Jens Kubieziel SMTP :: Simple Mail Transfer Protocol POP3 :: Post Office Protocol Version 3 IMAP :: Internet Message Access Protocol SMTP und POP3 :: Wie "sprechen" Server miteinander übers Netz? Greylisting :: Greylisting erklärt. Procmail :: Webseite von Procmail SpamAssassin :: Weitverbreiteter serverseitiger Open Source Spamfilter AMaViS :: A Mail Virus Scanner TLS :: Transport Layer Security, Verschlüsselung während der Uebertragung Postfix :: Postfix Mailserver Sendmail :: Sendmail, das älteste Mailserverprogramm der Welt QMail :: QMail Mailserver Exim :: Exim Mailserver Thunderbird :: Mozilla Thunderbird. Freies grafisches Mailprogramm für alle gängigen Betriebssysteme Mutt :: Exzellentes Mailprogramm für den Textmodus (Konsole) Alpine :: Alpine Mailprogramm. Nachfolger von Pine. YAM :: Yet Another Mailer. Grafisches Mailprogramm für den Commodore Amiga File Download (57:42 min / 61 MB)

Was man weiss, und doch nicht kennt. In dieser Folge geht es um einen der ältesten und zugleich populärsten Dienst im Internet, um die elektronische Post, kurz E-Mail. Begleite uns und unsere E-Mail auf der Reise vom Absender, vorbei an Mailservern, Spamfiltern und Virencheckern bis zum Mailprogramm des Empfaengers, und erfahre dabei viele interessante Details über Kopfzeilen, Datenprotokolle und andere sonst verborgene Dinge rund um den Nachrichtenaustausch im Internet. Trackliste D+O – Zensursula Borrachos – Pornostar 7ieben – Sonntags Freibeuter AG – Partytime MZMK – Krzyk Nächste Sendung: 5. September 2009, 19:00 Uhr E-Mail Weg :: Der Weg einer E-Mail von Jens Kubieziel SMTP :: Simple Mail Transfer Protocol POP3 :: Post Office Protocol Version 3 IMAP :: Internet Message Access Protocol SMTP und POP3 :: Wie "sprechen" Server miteinander übers Netz? Greylisting :: Greylisting erklärt. Procmail :: Webseite von Procmail SpamAssassin :: Weitverbreiteter serverseitiger Open Source Spamfilter AMaViS :: A Mail Virus Scanner TLS :: Transport Layer Security, Verschlüsselung während der Uebertragung Postfix :: Postfix Mailserver Sendmail :: Sendmail, das älteste Mailserverprogramm der Welt QMail :: QMail Mailserver Exim :: Exim Mailserver Thunderbird :: Mozilla Thunderbird. Freies grafisches Mailprogramm für alle gängigen Betriebssysteme Mutt :: Exzellentes Mailprogramm für den Textmodus (Konsole) Alpine :: Alpine Mailprogramm. Nachfolger von Pine. YAM :: Yet Another Mailer. Grafisches Mailprogramm für den Commodore Amiga File Download (57:42 min / 61 MB)