Indexing HTTPS pages by default

via Google Online Security Blog http://bit.ly/1MxIl7s

JIRA Workflows for handing AppSec RISKS

via Dinis Cruz Blog http://bit.ly/1mBznkt

Arnaud Kopp, Palo Alto Networks : Cybersécurité, A quoi faut-il s'attendre en 2016 ?

L'année 2016 définira une nouvelle perception de la sécurité dans l'UE La directive sur la sécurité des réseaux et l'information et la réforme globale du règlement sur la protection des données auront des conséquences sur les cyberstratégies en 2016. Elles seront toutes deux probablement sur le point d'entrer en vigueur d'ici la fin de l'année, mais les entreprises – qu'elles fassent partie d'une infrastructure nationale vitale, des Opérateurs d'importance vitale (OIV) ou qu'elles gèrent plus que les 5 000 (...) - Malwares

via Global Security Mag Online http://bit.ly/1RIdbC3

14 janvier - Paris - CLUSIF : Panorama de la Cybercriminalité - Année 2015

Le Panorama de la Cybercriminalité du CLUSIF s'est imposé depuis plusieurs années comme un événement incontournable dans le monde de la sécurité de l'information. Cette conférence dresse le bilan en matière de cybercriminalité mais également en matière d'événements sociétaux et parfois accidentels en relation avec la sécurité de l'information. Des experts reconnus en la matière, adhérents du CLUSIF mais aussi invités pour l'occasion au sein d'un comité de programme particulièrement pointu, ont sélectionné tous (...) - Événements

via Global Security Mag Online http://bit.ly/1Vbpvtm

Check Point : Quelles cyber-attaques ont fait trembler les entreprises le mois dernier ? Quels ont été les pays les plus exposés aux cyber-risques ?

Check Point® Software Technologies Ltd. révèle les familles les plus courantes de logiciels malveillants utilisés pour attaquer les réseaux des entreprises et les appareils mobiles dans le monde en novembre 2015. Selon le Threat Index de Check Point, la France se place au 52ème rang des pays les plus exposés aux risques de cyber-attaques en novembre, sur 140 pays analysés. Check Point a pu collecter ces informations détaillées sur les menaces grâce à sa ThreatCloud World Cyber Threat Map, qui (...) - Investigations

via Global Security Mag Online http://bit.ly/1Vbpvd6

DZone's 2015 Guide to Application Security

via Building Real Software http://bit.ly/1OjzCqG

Hyatt Hotels computers infected with malicious software

Hyatt Hotels on Wednesday revealed that it recently discovered malicious computer code on computers used for processing payments at locations it manages.

via Security News - Software vulnerabilities, data leaks, malware, viruses http://bit.ly/1NDIaeE

Internet : cas d’invalidation d’un constat d’huissier

Un arrêt de la Cour d’appel de Paris apporte des précisions non négligeables en termes de constat sur internet. Le 7 octobre 2015, la Cour d’appel de Paris a condamné pour parasitisme l’éditeur d’un site internet, qui avait copié quasiment à l’identique le plan, le contenu, le nom et l’agencement des …

via Lexing Alain Bensoussan http://bit.ly/1m4nPXc

Cloud souverain et offre informatique : état des lieux

Le Cloud souverain peut-il fournir une offre informatique d’infrastructures 100 % françaises aux entreprises ? En 2009, le gouvernement français s’est engagé dans le projet d’un cloud souverain initialement baptisé « Andromède » qui devait permettre de « développer une alternative française et européenne […] que les Nord-Américains dominent actuellement ». Aujourd’hui le projet …

via Lexing Alain Bensoussan http://bit.ly/1O3UE0K

#instagram #hack explain http://bit.ly/1QFnSFs #appsec #owasp #appsecfr #lk

#instagram #hack explain http://bit.ly/1QFnSFs #appsec #owasp #appsecfr #lk #blog

— Sebastien Gioria (@SPoint) December 21, 2015

from Twitter https://twitter.com/SPoint

December 21, 2015 at 03:49PM
via IFTTT

#backdoor dans les juniper ?..... http://bit.ly/1mbPipb #nsa #lprenseignement # sécurite #DGsi #dgse #lk

#backdoor dans les juniper ?..... http://bit.ly/1mbPipb #nsa #lprenseignement # sécurite #DGsi #dgse #lk #blog

— Sebastien Gioria (@SPoint) December 18, 2015

from Twitter https://twitter.com/SPoint

December 18, 2015 at 08:24AM
via IFTTT

Oh la belle encore.....#lk #grub2 http://bit.ly/1P7kwre

Oh la belle encore.....#lk #blog #grub2 http://bit.ly/1P7kwre

— Sebastien Gioria (@SPoint) December 16, 2015

from Twitter https://twitter.com/SPoint

December 16, 2015 at 06:54PM
via IFTTT

80% des applications mobiles utilisent de la crypto trouée …. 4/5 #fail l’#OWASP Top10 http://bit.ly/1ln8y3l? #appsecfr #appsec #lk

80% des applications mobiles utilisent de la crypto trouée …. 4/5 #fail l’#OWASP Top10 http://bit.ly/1ln8y3l? #appsecfr #appsec #lk #blog

— Sebastien Gioria (@SPoint) December 7, 2015

from Twitter https://twitter.com/SPoint

December 07, 2015 at 09:26AM
via IFTTT

Security in a Cloud-Enabled World: Free Microsoft Virtual Academy course

Recently Mark Simos, an Architect on our cybersecurity team, and I recorded an 8 module course on cloud security. If you are evaluating cloud services for use by your organization or already managing IT assets in a public or hybrid cloud, or just want to learn more about how the cloud helps customers manage cybersecurity threats, this course is for you. Mark does a great job of providing insights that … Read more »

via Cyber Trust Blog » Cybersecurity http://bit.ly/1PtWQA6

Z-Attack, un outil de test sécurité des réseaux #zwave http://bit.ly/1SnluAJ #iot #appsec #appsecfr #security #securite #ICS #lk

Z-Attack, un outil de test sécurité des réseaux #zwave http://bit.ly/1SnluAJ #iot #appsec #appsecfr #security #securite #ICS #lk #blog

— Sebastien Gioria (@SPoint) November 4, 2015

from Twitter https://twitter.com/SPoint

November 04, 2015 at 09:16AM
via IFTTT

Attacking #zwave network with z-Attack http://bit.ly/1k9Rjlo #iot #appsec #appsecfr #security #securite #ICS #lk

Attacking #zwave network with z-Attack http://bit.ly/1k9Rjlo #iot #appsec #appsecfr #security #securite #ICS #lk #blog

— Sebastien Gioria (@SPoint) November 4, 2015

from Twitter https://twitter.com/SPoint

November 04, 2015 at 09:15AM
via IFTTT

Curation de quelques liens cyber-sécurité pour la semaine 41

 Voici une liste de liens collectés la semaine 41 autour de la cyber-sécurité. 

Bonne lecture

Sécurité applicative

Un document (polémique ?) sur les détections des différents outils de revue de code commerciaux vs open-source : http://bit.ly/1htCic0

Sécurité IOT

Quelques regles de bons sens utiles a rappeler dans le cadre de la sécurité des Objets Connectés : http://bit.ly/1WMQhcL

Pour rappel, il existe un projet OWASP Top10 sur les IoT : https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

Sécurité des objets connectés de santé:

http://bit.ly/1iYrO5t

MyFox devient compatible IFTTT:

http://bit.ly/1Gpv9Qn

Sécurité mobile

Dans la série, je continue avec les malware IOS : iPhone : YiSpecter, un malware chinois particulièrement vicieux http://bit.ly/1GvOCPk

Databreach :

L'université de Lyon encore piratée  : http://bit.ly/1JWbOXn

4,6 Millions de données dans la nature chez ScottRade (société dans le Retail): http://www.krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-customers/

Experian perd aussi des données: http://krebsonsecurity.com/2015/10/at-experian-security-attrition-amid-acquisitions/

Droit / Réglementation :

L'élément important de cette semaine s'appelle le Safe Harbor :

• La Justice européennne bloque le transfert des données privées de l'UE vers les US  : http://bit.ly/1L5PCvJ 
• La position de la CNIL sur ce sujet du Safe Harbor :

 http://www.cnil.fr/linstitution/actualite/article/article/invalidation-du-safe-harbor-par-la-cour-de-justice-de-lunion-europeenne-une-decision-cl

Amazon a réagit sur l'annulation de l'accord Safe Harbor : http://amzn.to/1NwAJbu

Standard & Poors pourrait dégrader la notes des banques ayant un mauvais niveau de sécurité :  https://www.globalcreditportal.com/ratingsdirect/renderArticle.do?articleId=1455510&SctArtId=343857&from=CM&nsl_code=LIME&sourceObjectId=9348447&sourceRevId=2&fee_ind=N

ANSSI :

Dans le cadre du mois de la cybersécurité , Le CigRef et l'ANSSI ont lancé leur campagne de sensibilisation : http://www.hack-academy.fr/home

Des documents pédagogiques pour les enseignants de la part de l'ANSSI (CyberEdu): http://bit.ly/1N2GY3U

Le document annuel sur la cyber-résilience de l'Internet est en ligne : http://bit.ly/1Ns7GpD

Cloud :

Cette semaine dans le Cloud, il y avait la conférence Amazon re:Invent, avec au programme pas mal de choses orientées sécurité :

• De nouveaux cours sur AWS et la Sécurité : https://aws.amazon.com/blogs/aws/new-aws-security-courses/
• Lancement de nouveaux produits de sécurité AWS : http://amzn.to/1FZrXjw
• Les sessions Sécurité de re:Invent 2015 : http://amzn.to/1jQrBSG

Et aussi la sortie du WAF Amazon AWS : https://aws.amazon.com/fr/blogs/aws/new-aws-waf/

Malware/Hack

Twittor, une backdoor utilisant twitter pour le commande et contrôle : http://bit.ly/1jV4pCB

Vulnérabilités

Mutliples vulnérabilités dans Google Nexus : http://bit.ly/1OmoiO1

Elevation de privilèges dans le noyau Linux Ubuntu : http://bit.ly/1Mf4XtS

Une execution de code distante dans VMWare : https://www.7elements.co.uk/resources/blog/cve-2015-2342-remote-code-execution-within-vmware-vcenter/

Outils

Fournisseurs

CyberArk acquiert Viewfinity http://bit.ly/1FTB7hN  spécialiste de la gestion d'applications de contrôle et de la restriction des accès administrateurs pour Windows, pour compléter son offre de sécurisation des comptes à privilèges.

Marché Sécurité FR

LEXSI publie panorama sur les principales défaillances des réseaux SCADA : http://bit.ly/1jpUPqY

FrenchTech

Dans le cadre des projets d'investissements d'avenir, l'Etat débloque 10M€ pour créer des technologies protégeant la vie privée http://bit.ly/1L5PA6R

Hack Academy : se protéger des vols de mots de passe

Jenny, la jolie québécoise avec son chewing-gum, est spécialisée dans le vol de mots de passe, ou plus précisément dans l’art de deviner votre mot de passe. Rappelez-vous que grâce à cela elle peut accéder à  vos données personnelles,  vos photos, votre compte bancaire, … Tout cela vaut bien un effort pour les conserver bien au chaud et hors de portée des cybercriminels. Voici mes conseils pour éviter de subir les attaques de Jenny !

3 conseils pour des mots de passe en béton

Choisir un mot de passe ne s’improvise pas. Voici les 3 conseils que je fais à mes proches et collègues pour des mots de passe en béton : 

 

1. Mon premier conseil est d’utiliser un mot de passe différent par site – il est essentiel de ne pas utiliser le même mot de passe sur plusieurs sites. Un mot de passe, c’est comme une brosse à dents, cela ne se partage pas !
2. Le deuxième conseil est d’avoir des mots de passe avec un nombre important de caractères. Un mot de passe comme « LaVoitureVerteMangeDesChouxALaCreme » est un mot de passe qui résistera particulièrement aux attaques. Après, si un site limite le nombre de caractères autorisés, c’est un signe qui ne trompe pas car cela peut masquer des problèmes ; si c’est le cas, rabattez-vous sur le 3^ème conseil.
3. Le troisième et dernier conseil est d’intégrer dans votre mot de passe quelques caractères spéciaux (genre « !?$([# ») ici et là. De même, jonglez avec des minuscules/majuscules et insérez des chiffres.

 

Si vous deviez ne prendre en compte que deux conseils, mettez la gomme sur le 1^er (on ne partage pas sa brosse à dents – ses mots de passe non plus) et le second (des mots de passe particulièrement longs sont très robustes).

Si vous ne faites qu’une chose, voici laquelle :

Avant toute autre chose, la priorité est de sécuriser l’accès à vos emails/boîte aux lettres. Car qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos comptes.

Donc, si vous ne devriez faire qu’une chose, c’est :

• définir un mot passe particulièrement long ou complexe pour votre boite aux lettres
• ne l’utilisez sur aucun autre site

Faites-le maintenant. N’attendez pas de voir arriver Jenny ou un autre cybercriminel sans scrupules ! Rappelez-vous : qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos autres comptes sur les réseaux sociaux, etc…

Le coffre-fort à mots de passe et l’authentification à deux facteurs

Mais comment retenir un mot de passe unique, long et complexe pour chaque site ? La réponse est que c’est tout simplement impossible. Et puis de toute façon, personne n’ira vous demander de vous souvenir de près d’une centaine de mots de passe différents ! Car oui, la réponse est ailleurs : il existe des logiciels spéciaux appelés « coffres forts à mot de passe » qui font merveilleusement bien ce boulot à votre place : vous n’avez qu’à vous souvenir d’un seul et unique mot de passe (particulièrement complexe et que vous ne saisissez sur aucun site) pour ouvrir votre coffre-fort et accéder ainsi à vos mots de passe.

Mon logiciel préféré de « coffre-fort à mots de passe » c’est Keepass. Mais il y a aussi des services en lignes comme DashLane, 1Password pour ne citer qu’eux..

Quand cela est proposé par le service en ligne, il est possible de remplacer votre mot de passe par un code à usage unique (ce sont ces mots de passe qui changent toutes les 30 secondes) ou que ce code à usage unique soit demandé s’il détecte une connexion depuis un périphérique qu’il ne connaît pas déjà. Le plus souvent, il s’agit d’installer une application sur votre Smartphone et le tour est joué. Les grands services en ligne le proposent gratuitement – il suffit juste de penser à l’activer ! Pour savoir si votre service préféré supporte le 2FA (2-Factors Authentication – Authentification à 2 facteurs ou éléments), allez jeter un œil sur ce site : http://bit.ly/1MtaLju

Eviter de donner le bâton pour se faire battre par les réseaux sociaux

Au-delà de ces quelques conseils, il reste important de contrôler les informations personnelles vous concernant sur les réseaux sociaux. Car même si Willy - un autre candidat de la Hack Academy - n’utilise pas d’informations personnelles récupérées sur les réseaux pour lancer ses attaques de phishing, ces informations personnelles sont de l’or de en barre pour des attaques ciblées. Et puis, conserver sa vie privée vraiment privée, c’est mieux.

Relevez le défi !

Ah, j’allais oublier ! Même si les logiciels antivirus laissent parfois passer certaines menaces, ils sont nécessaires et doivent être régulièrement mis à jour. Il ne s’agirait pas qu’un logiciel espion installé sur votre machine vienne récupérer votre « MotdepasseMagiquequeJennynepourraPasDeviner! »

Allez, venez sur la Hack Academy et relevez le défi de Jenny !

Jean-François (aka Jeff) Audenard.

via http://oran.ge/1MtaLjw

Mozilla Releases Security Update for Firefox

Original release date: October 15, 2015

Mozilla has released Firefox 41.0.2 to address a security vulnerability. Exploitation of this vulnerability may allow a remote attacker to obtain sensitive information from an affected system.

US-CERT encourages users and administrators to review Mozilla Security Advisory 2015-115 and apply the necessary update.

---

This product is provided subject to this Notification and this Privacy & Use policy.

via US-CERT Current Activity http://1.usa.gov/1GJCaLY

Le gouvernement américain renonce à ses backdoors légales

La semaine dernière devant le Sénat américain, le directeur du FBI a confié qu’il ne demanderait pas de texte venant encadrer la mise en place de portes dérobées pour les acteurs du monde de l’IT.

via ZDNet actualites http://bit.ly/1Lsbnt6

Sécurité : Samsung ajoute la brique Cryptosmart à Knox

L'outil, développé par le français Ercom, sécurise les échanges voix/données, et est particulièrement utilisée dans les entreprises sensibles et par les Etats.

via ZDNet actualites http://bit.ly/1juYmUJ

#USBKiller v2.0. Attention a vos ports USB….. http://bit.ly/1REpiNE via @Korben #lk

#USBKiller v2.0. Attention a vos ports USB….. http://bit.ly/1REpiNE via @Korben #lk #blog

— Sebastien Gioria (@SPoint) October 13, 2015

from Twitter https://twitter.com/SPoint

October 13, 2015 at 02:15PM
via IFTTT

OWASP #ASVS v3.0 est disponible au téléchargement #appsec #appsecfr #owasp #security #securecoding http://bit.ly/1QnfDu6 #lk #veille

OWASP #ASVS v3.0 est disponible au téléchargement #appsec #appsecfr #owasp #security #securecoding http://bit.ly/1QnfDu6 #lk #blog #veille

— Sebastien Gioria (@SPoint) October 13, 2015

from Twitter https://twitter.com/SPoint

October 13, 2015 at 11:17AM
via IFTTT

Bug bounty avec des moreceaux de @korben dedans... http://bit.ly/1hAiwvu #appsec #appsecfr #lk #veille

Bug bounty avec des moreceaux de @korben dedans... http://bit.ly/1hAiwvu #appsec #appsecfr #lk #blog #veille

— Sebastien Gioria (@SPoint) October 12, 2015

from Twitter https://twitter.com/SPoint

October 12, 2015 at 05:29PM
via IFTTT

How hackers can access iPhone contacts and photos without a password

Once again, fully patched iPhone lock screens can be bypassed with a few keystrokes.

via Ars Technica » Risk Assessment http://bit.ly/1LJzcie

Apple removes several apps that could spy on encrypted traffic

Third-party root certificates could man-in-the-middle HTTPS connections.

via Ars Technica » Risk Assessment http://bit.ly/1jrnfkh

SHA1 algorithm securing e-commerce and software could break by year’s end

Researchers warn widely used algorithm should be retired sooner.

via Ars Technica » Risk Assessment http://bit.ly/1OtvVUy

Twittor – Backdoor Using Twitter For Command & Control

via Darknet - The Darkside http://bit.ly/1jV4pCB

Customer Update—AWS and EU Safe Harbor

Recently, the European Court of Justice determined that the 15-year-old US-EU Safe Harbor framework is no longer valid for the transfer of personal data from the European Economic Area (EEA) to the US.

At AWS, we know customers care deeply about privacy and data security; we optimize our work to get these issues right for our customers around the world. Today, we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data whether they are established in Europe or a global company operating in the EEA. For additional information, please visit AWS EU Data Protection FAQ.

For customers not looking to transfer personal data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS, such as:

• Customers maintain ownership of their customer content and select which AWS services process, store, and host their customer content.
• Customers determine where their customer content will be stored, allowing them to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt.
• Customers choose the secured state of their customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.

For additional information, please visit AWS Privacy and Data Security FAQ.

At AWS, customer trust is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption.

- Steve

via AWS Security Blog http://amzn.to/1NwAJbu

How do open source static analysis tools stack up against commercial tools?

There are many static analysis tools that can be used to check an application for quality and security issues. Code Dx currently integrates with 24 of them. There’s a mix of both commercial and freely available tools. Many of the...

The post How do open source static analysis tools stack up against commercial tools? appeared first on .

via http://bit.ly/1htCic0

Le Cesin s'inquiète pour la protection des données dispersées et transformées

via http://bit.ly/1JWbPdL

Le Cigref et l'ANSSI veulent que les DSI se préoccupent de la sécurité

via http://bit.ly/1JWbMPe

Fin du transfert des données privées vers les US, quelles alternatives pour les entreprises

via Actualités securite http://bit.ly/1JWbOXo

Now Available: New AWS Security Training Classes

Today we launched a new AWS training curriculum on security. The two new classes made available today are designed to help you meet your cloud security objectives under the AWS Shared Responsibility Model, by showing you how to create more secure AWS architectures and solutions and address key compliance requirements.

Here’s a closer look at the new training classes:

• AWS Security Fundamentals: This free 3-hour online class is designed to introduce you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. The class is meant primarily for security professionals with little or no working knowledge of AWS and also addresses security-related compliance protocols, risk management strategies, and procedures for auditing AWS security infrastructure.
• Security Operations on AWS: This 3-day, classroom-based deep dive covers security features of key AWS services and AWS best practices for securing data and systems. You’ll learn about regulatory compliance standards and use cases for running regulated workloads on AWS. Hands-on practice with AWS security products and features will help you take your security operations to the next level.

Visit AWS Training to learn more about the new security classes and find a class near you. Have feedback for us? Leave a comment below.

- Maureen

via AWS Security Blog http://amzn.to/1hsnSJc

Learn About the Rest of the Security and Compliance Track Sessions Being Offered at re:Invent 2015

Previously, I mentioned that the re:Invent 2015 Security & Compliance track sessions had been announced, and I also discussed the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.

Today, I will highlight the remainder of the sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent 2015, you can add these sessions to your schedule now. If you won’t be attending re:Invent in person this year, keep in mind that all sessions will be available on YouTube (video) and SlideShare (slide decks) after the conference.

Auditing

SEC314: Full Configuration Visibility and Control with AWS Config

With AWS Config, you can discover what is being used on AWS, understand how resources are configured and how their configurations changed over time—all without disrupting end-user productivity on AWS. You can use this visibility to assess continuous compliance with best practices, and integrate with IT service management, configuration management, and other ITIL tools. In this session, AWS Senior Product Manager Prashant Prahlad will discuss:

• Mechanisms to aggregate this deep visibility to gain insights into your overall security and operational posture.
• Ways to leverage notifications from the service to stay informed, trigger workflows, or graph your infrastructure.
• Integrating AWS Config with ticketing and workflow tools to help you maintain compliance with internal practices or industry guidelines.
• Aggregating this data with other configuration management tools to move toward a single source of truth solution for configuration management.

This session is best suited for administrators and developers with a focus on audit, security, and compliance.

SEC318: AWS CloudTrail Deep Dive

Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn from AWS Senior Product Manager Sivakanth Mundru how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.

We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files.

SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events by Using Apache Spark on Amazon EMR

Do you want to analyze AWS CloudTrail events within minutes of them arriving in your Amazon S3 bucket? Would you like to learn how to run expressive queries over your CloudTrail logs? AWS Senior Security Engineer Will Kruse will demonstrate Apache Spark and Apache Spark Streaming as two tools to analyze recent and historical security logs for your accounts. To do so, we will use Amazon Elastic MapReduce (EMR), your logs stored in S3, and Amazon SNS to generate alerts. With these tools at your fingertips, you will be the first to know about security events that require your attention, and you will be able to quickly identify and evaluate the relevant security log entries.

DDoS

SEC306: Defending Against DDoS Attacks

In this session, AWS Operations Manager Jeff Lyon and AWS Software Development Manager Andrew Kiggins will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:

• DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
• What AWS does to protect our services from these attacks.
• How this all relates to the AWS Shared Responsibility Model.

Incident Response

SEC308: Wrangling Security Events in the Cloud

Have you prepared your AWS environment for detecting and managing security-related events? Do you have all the incident response training and tools you need to rapidly respond to, recover from, and determine the root cause of security events in the cloud? Even if you have a team of incident response rock stars with an arsenal of automated data acquisition and computer forensics capabilities, there is likely a thing or two you will learn from several step-by-step demonstrations of wrangling various potential security events within an AWS environment, from detection to response to recovery to investigating root cause. At a minimum, show up to find out who to call and what to expect when you need assistance with applying your existing, already awesome incident response runbook to your AWS environment. Presenters are AWS Principal Security Engineer Don “Beetle” Bailey and AWS Senior Security Consultant Josh Du Lac.

SEC316: Harden Your Architecture with Security Incident Response Simulations (SIRS)

Using Security Incident Response Simulations (SIRS—also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, AWS Senior Technical Program Manager Jonathan Miller and AWS Global Security Architect Armando Leite will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

Key Management

SEC301: Strategies for Protecting Data Using Encryption in AWS

Protecting sensitive data in the cloud typically requires encryption. Managing the keys used for encryption can be challenging as your sensitive data passes between services and applications. AWS offers several options for using encryption and managing keys to help simplify the protection of your data at rest. In this session, AWS Principal Product Manager Ken Beer and Adobe Systems Principal Scientist Frank Wiebe will help you understand which features are available and how to use them, with emphasis on AWS Key Management Service and AWS CloudHSM. Adobe Systems Incorporated will present their experience using AWS encryption services to solve data security needs.

SEC401: Encryption Key Storage with AWS KMS at Okta

One of the biggest challenges in writing code that manages encrypted data is developing a secure model for obtaining keys and rotating them when an administrator leaves. AWS Key Management Service (KMS) changes the equation by offering key management as a service, enabling a number of security improvements over conventional key storage methods. Okta Senior Software Architect Jon Todd will show how Okta uses the KMS API to secure a multi-region system serving thousands of customers. This talk is oriented toward developers looking to secure their applications and simplify key management.

Overall Security

SEC201: AWS Security State of the Union

Security must be at the forefront for any online business. At AWS, security is priority number one. AWS Vice President and Chief Information Security Officer Stephen Schmidt will share his insights into cloud security and how AWS meets customers' demanding security and compliance requirements—and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, will share an industry perspective that's unique and invaluable for today's IT decision makers.

SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud

Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.

In this session, Sumo Logic VP of Security/CISO Joan Pepin will cover:

• Key market drivers and advantages for leveraging cloud architectures.
• Foundational design principles to guide strategy for securely leveraging the cloud.
• The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
• Real-world customer insights from organizations who have successfully adopted the "Defense in Depth" approach.

Session sponsored by Sumo Logic.

SEC203: Journey to Securing Time Inc's Move to the Cloud

Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy. 

Who should attend: InfoSec and IT management. Session sponsored by Alert Logic.

SEC303: Architecting for End-to-End Security in the Enterprise

This session will tell the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, AWS Principal Consultant Hart Rossman and AWS Principal Security Solutions Architect Bill Shinn will share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

SEC321: AWS for the Enterprise—Implementing Policy, Governance, and Security for Enterprise Workloads

CSC Director of Global Cloud Portfolio Kyle Falkenhagen will demonstrate enterprise policy, governance, and security products to deploy and manage enterprise and industry applications AWS.  CSC will demonstrate automated provisioning and management of big data platforms and industry specific enterprise applications with automatically provisioned secure network connectivity from the datacenter to AWS over layer 2 routed AT&T Netbond (provides AWS DirectConnect access) connection.  CSC will also demonstrate how applications blueprinted on CSC's Agility Platform can be re-hosted on AWS in minutes or re-instantiated across multiple AWS regions. CSC will also demonstrate how CSC can provide agile and consumption-based endpoint security for workloads in any cloud or virtual infrastructure, providing enterprise management and 24x7 monitoring of workload compliance, vulnerabilities, and potential threats.

Session sponsored by CSC.

SEC402: Enterprise Cloud Security via DevSecOps 2.0

Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented "Enterprise Cloud Security via DevSecOps" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.

We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit DevSecOps Leader Shannon Lietz and AWS Senior Security Consultant Matt Bretan to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps.

Security Architecture

SEC205: Learn How to Hackproof Your Cloud Using Native AWS Tools

The cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, autoscaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. And AWS provides powerful tools that enable users to confidently overcome these challenges.

In this session, CloudCheckr Founder and CTO Aaron Newman will discuss leveraging native AWS tools as he covers topics including:

• Minimizing attack vectors and surface area.
• Conducting perimeter assessments of your virtual private clouds (VPCs).
• Identifying internal vs. external threats.
• Monitoring threats.
• Reevaluating intrusion detection, activity monitoring, and vulnerability assessment in AWS.

Session sponsored by CloudCheckr.

Enjoy re:Invent!

- Craig

via AWS Security Blog http://amzn.to/1hsnSIZ

Today's Security and Compliance Sessions at re:Invent 2015

If you are attending re:Invent 2015 in Las Vegas this week, you can attend any of the following Security & Compliance track sessions taking place today. 

Didn't register before the conference sold out? All sessions are being recorded and will be made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.  

Click any of the following links to learn more about a breakout session.

Compliance

• SEC304: Architecting for HIPAA Compliance on AWS
• SEC312: Reliable Design and Deployment of Security and Compliance

DDoS

• SEC306: Defending Against DDoS Attacks

Incident Response

• SEC308: Wrangling Security Events in the Cloud

Identity and Access Management

• SEC302: IAM Best Practices to Live By

Overall Security

• SEC201: AWS Security State of the Union
• SEC303: Architecting for End-to-End Security in the Enterprise
• SEC323: NEW LAUNCH! Securing Web Applications with AWS WAF

Security Architecture

• SEC205: Learn How to Hackproof Your Cloud Using Native AWS Tools

- Craig

via AWS Security Blog http://amzn.to/1jQrBSG

New Security Services Launched at AWS re:Invent 2015—Amazon Inspector, AWS WAF, and AWS Config Rules

Today at re:Invent, AWS announced two new security services and one new feature to help you improve your security posture and protect applications deployed on AWS.

Amazon Inspector is an automated security assessment service that helps minimize the likelihood of introducing security or compliance issues when deploying applications on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.

To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security compliance standards (such as PCI DSS) and vulnerability definitions. Examples include enabling remote root login, or including vulnerable software versions. These rules are regularly updated by AWS security researchers.

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over your web applications by defining customizable web security rules.

You can use AWS WAF to block common attack patterns, such as SQL injection or cross-site scripting, and create custom rules specific to your applications. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a fully featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

AWS WAF is generally available, and Amazon Inspector is available in preview. AWS also announced preview availability of AWS Config Rules.

AWS Config Rules is a feature of AWS Config, and is a new set of cloud governance capabilities that allow IT administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of prebuilt rules based on common AWS best practices or custom rules that you define. For example, you can ensure Amazon EBS volumes are encrypted, Amazon EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. Config Rules can continuously monitor your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT administrator can quickly determine when and how a resource went out of compliance.

These new services and new feature will make it significantly easier for you to assess your applications’ security, keep track of deviations from best practice, and protect your applications throughout the development lifecycle.

- Paul

 

via AWS Security Blog http://amzn.to/1FZrXjw

Inspecting Security and Privacy Settings of a Website

Inspecting the Content Security Policy of a Website Starting in Firefox 41, Mozilla provides a developer tool that allows users to inspect the security settings of a website. Using GCLI (Graphic Command Line Interface) a user can inspect the Content Security Policy (CSP) of a website. CSP is a security concept that allows websites to […]

via Mozilla Hacks - the Web developer blog http://mzl.la/1j9A3LX

CERTFR-2015-AVI-418 : Multiples vulnérabilités dans Google Nexus (06 octobre 2015)

De multiples vulnérabilités ont été corrigées dans Google Nexus. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une élévation de privilèges.

via Les derniers documents du CERT-FR. http://bit.ly/1OmoiO1

CERTFR-2015-AVI-419 : Vulnérabilité dans le noyaux Linux d'Ubuntu (06 octobre 2015)

Une vulnérabilité a été corrigée dans le noyau Linux d'Ubuntu. Elle permet à un attaquant de provoquer une élévation de privilèges.

via Les derniers documents du CERT-FR. http://bit.ly/1Mf4XtS

Identifier les assaillants : avant, pendant et après l'attaque…

Lorsque l'entreprise est sous le feu des pirates, elle cherche avant tout à limiter les dégâts, à protéger ses actifs et à faire cesser l'attaque afin de reprendre son activité au plus vite. Mais savoir précisément d'où vient l'attaque et qui en est l'auteur peut lui donner un avantage précieux. Qu'elle le fasse pendant l'attaque, après ou voire même avant (threat intelligence), l'entreprise ne peut plus faire l'autruche : elle doit connaître son ennemi, ses objectifs, ses moyens et ses méthodes. Jérôme Saiz, (...) - Investigations / affiche, ASSISES 2015

via Global Security Mag Online http://bit.ly/1jOtwqL

A billion Android phones are vulnerable to new Stagefright bugs

Stagefright 2.0 comes as Android users were still recovering from Stagefright 1.

via Ars Technica » Risk Assessment http://bit.ly/1YWHjvt

Patreon was warned of serious website flaw 5 days before it was hacked

Even worse: Thousands of other sites are making the same facepalm-worthy mistake.

via Ars Technica » Risk Assessment http://bit.ly/1L6dK1h

Scottrade breach exposes sensitive data for 4.6 million customers

Contrary to what company advises, users should change passwords immediately.

via Ars Technica » Risk Assessment http://bit.ly/1VDygjS

New Outlook mailserver attack steals massive number of passwords

Backdoor in Outlook Web Application operates inside target's firewall.

via Ars Technica » Risk Assessment http://bit.ly/1LykgmX

I’m no expert, but holy crap the hacking on Homeland was bad

"There’s a zero-day defect on this firewall."

via Ars Technica » Risk Assessment http://bit.ly/1KZKfjT

Trump Hotels payment system infected with malware

Claims "no forensic evidence" of theft of data but offers complimentary protection.

via Ars Technica » Risk Assessment http://bit.ly/1OlDfl7

The three golden rules for software security in the IoT | Information Age

via The three golden rules for software security in the IoT | Information Age http://bit.ly/1WMQhcL

This Secure Operating System Can Protect You Even if You Get Hacked

Hackers, Government Agencies and sophisticated malware, are collecting every piece of Digital data that we transmit through our Computers, Smartphones or Internet-enabled Gadgets. No matter how secure you think you might be, something malicious can always happen. Because, "With the right tools and Talent, a Computer is an open book." Many people ask, How to stay safe and secure online?

via The Hacker News http://bit.ly/1j7D8vW

New AWS Security Courses (Fundamentals & Operations)

It’s probably no surprise that information security is one of today’s most sought after IT specialties. It’s also deeply important to our customers and any company considering moving to the cloud. So, today we’re launching a new AWS Training curriculum focused on security. The curriculum’s two new classes are designed to help you meet your […]

via AWS Official Blog http://amzn.to/1LxR3IP

L'Etat débloque 10M€ pour créer des technologies protégeant la vie privée

via Actualités securite http://bit.ly/1L5PA6R

"ASP.NET MVC: Secure Data Transmission"

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will review secure data transmission in the ASP.NET MVC framework.Secure data transmission is a critical step towards securing our customer information over the web. In fact, many of our SoftServe applications are regulated by HIPAA, which has the following secure data transmission requirements:Client-server communication should be performed via secured channel (TLS/HTTPS)Client (front-end application) should not pass any PHI data in URL parameters when sending requests to the serverAll data transmission outside of the system should be performed via secure protocol (HTTPS, Direct Protocol, etc.)To satisfy this requirement, let's examine how to secure data transmission in an ASP.NET MVC application.Enable HTTPS DebuggingOne of my favorite ...

via AppSec Street Fighter - SANS Institute http://bit.ly/1YZRNdB

Today, all stores in the US should accept chip-and-PIN cards. Yeah, right.

Liability shift is beginning of a very protracted end for magnetic stripe cards.

via Ars Technica http://bit.ly/1JLnADS

La loi numérique soumise à contribution publique jusqu'au 18 octobre

via Actualités securite http://bit.ly/1Vw0WGa

Piratage des données de 15 millions de clients T-Mobile

via Actualités securite http://bit.ly/1OdFvLc

Pas de backdoor dans #trueCrypt, mais des failles identifiées quand meme #appsec #appsecfr #lk http://bit.ly/1LjBcgK

Pas de backdoor dans #trueCrypt, mais des failles identifiées quand meme #appsec #appsecfr #lk #blog http://bit.ly/1LjBcgK

— Sebastien Gioria (@SPoint) September 30, 2015

from Twitter https://twitter.com/SPoint

September 30, 2015 at 10:45AM
via IFTTT

Banks: Card Breach at Hilton Hotel Properties — Krebs on Security #appsec #appsecfr #lk http://bit.ly/1MR5CY7

Banks: Card Breach at Hilton Hotel Properties — Krebs on Security #appsec #appsecfr #lk #blog http://bit.ly/1MR5CY7

— Sebastien Gioria (@SPoint) September 27, 2015

from Twitter https://twitter.com/SPoint

September 27, 2015 at 08:08AM
via IFTTT

Les 5 voitures les plus vulnérables au piratage

via Actualités securite http://bit.ly/1Mu1zh9

XcodeGhost malware worrisome, but overhyped; focus on future attacks, experts say

As the cause behind the largest compromising of Apple apps ever, XcodeGhost malware is worth discussing, but really, it's the tactics behind the malware infections that are cause for concern, experts say.

via Latest articles from SC Magazine http://bit.ly/1OO6Um5

Inside Target Corp., Days After 2013 Breach

In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation -- until now never publicly revealed -- confirm what pundits have long suspected: Once inside Target's network, there was nothing stop attackers from gaining direct and complete access to every single cash register in every Target store.

via Krebs on Security http://bit.ly/1KxLhkL

Disabling SSLv3 and RC4

via Google Online Security Blog http://bit.ly/1OO61tG

$1 Million Reward for Anyone Who Can Hack Apple’s latest iOS 9

Great news for iOS lovers and bug bounty hunters! As of today, you have the chance to earn $1 million for finding any critical zero-day vulnerabilities within the latest iOS 9 mobile operating system released by Apple. Security firm Zerodium, a startup spawn from the French-based security firm VUPEN, a well known competitor in the [...]

Source: $1 Million Reward for Anyone Who Can Hack Apple’s latest iOS 9 appeared first on Freedom Hacker the number one source for hacking news, security news & everything cyber.

via Freedom Hacker http://bit.ly/1Pnicvx

PME et Cyber sécurité : Qu'est-ce qu'une attaque DDoS et comment s'en prémunir ?

Les TPE et PME sont de plus en plus nombreuses à utiliser internet pour communiquer avec leurs clients et prospects. Il est impensable aujourd'hui - dans cet environnement très concurrentiel - de se faire connaître et de fidéliser sa clientèle sans passer par une communication online. Les petites structures sont ainsi nombreuses à créer leurs sites internet mais aussi leurs boutiques en ligne. Mais, l'accroissement de l'activité en ligne des petites entreprises attire l'attention des hackers, qui (...) - Points de Vue

via Global Security Mag Online http://bit.ly/1QW51mv

ISC BIND Security Advisory - September 2015

2015/09/02 - 12:30 PM PST

 

The issues described in the ISC BIND security advisory (CVE-2015-5986 / CVE-2015-5722) posted at http://bit.ly/1KYfcrR  do not affect AWS services.

 

via Security Bulletins http://amzn.to/1KYff6P

re:Invent 2015: All Security and Compliance Track Breakout Sessions

If you will be attending re:Invent 2015 in Las Vegas next month, you know that you'll have many opportunities to learn more about AWS security at the conference. The following breakout sessions compose this year's Security and Compliance track. Look for blog posts in the coming three weeks to highlight some of these specific breakout sessions as the October 6 start date approaches.

Didn't register before the conference sold out? All sessions will be recorded and made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.  

Click any of the following links to learn more about a breakout session.

Auditing

• SEC314: Full Configuration Visibility and Control with AWS Config
• SEC318: AWS CloudTrail Deep Dive
• SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events by Using Apache Spark on Amazon EMR

Compliance

• SEC204: AWS GovCloud (US) Not Just For Govies: Meeting Requirements for US-Only Access
• SEC304: Architecting for HIPAA Compliance on AWS
• SEC310: Splitting the Check on Compliance and Security: Keeping Developers and Auditors Happy in the Cloud
• SEC312: Reliable Design and Deployment of Security and Compliance
• SEC313: Security and Compliance at Petabyte Scale: Lessons from the National Cancer Institute's Cancer Genomics Cloud Pilot
• SEC320: AWS Security Beyond the Host: Leveraging the Power of AWS to Automate Security and Compliance

DDoS

• SEC306: Defending Against DDoS Attacks

Incident Response

• SEC308: Wrangling Security Events in the Cloud
• SEC316: Harden Your Architecture with Security Incident Response Simulations (SIRS)

Identity and Access Management

• SEC302: IAM Best Practices to Live By
• SEC305: Become an AWS IAM Policy Ninja in 60 Minutes or Less
• SEC307: A Progressive Journey Through AWS IAM Federation Options: From Roles to SAML to Custom Identity Brokers
• SEC315: AWS Directory Service Deep Dive

Key Management

• SEC301: Strategies for Protecting Data Using Encryption in AWS
• SEC401: Encryption Key Storage with AWS KMS at Okta

Overall Security

• SEC201: AWS Security State of the Union
• SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud
• SEC203: Journey to Securing Time Inc's Move to the Cloud
• SEC303: Architecting for End-to-End Security in the Enterprise
• SEC321: AWS for the Enterprise—Implementing Policy, Governance, and Security for Enterprise Workloads
• SEC402: Enterprise Cloud Security via DevSecOps 2.0

Security Architecture

• SEC205: Learn How to Hackproof Your Cloud Using Native AWS Tools

- Craig

via AWS Security Blog http://amzn.to/1KYesmz

Les pirates du SEO s'attaquent à Google Search Console

via Actualités securite http://bit.ly/1QCnq7w

Selon le FBI, l’internet des objets connectés va faire exploser le piratage

Selon un communiqué du Bureau Fédéral d’Investigation américain –le prestigieux ‘FBI’– le risque de piratage augmente à mesure de l’augmentation du nombre d’objets connectés dans la population. Le FBI, bureau fédéral américain en charge du renseignement intérieur, vient en effet de publier un communiqué qui tente de mettre en garde la population face au risque de […]

via Objets Connectés sur Aruco.com http://bit.ly/1Ob0TjQ

CSRFT - Cross Site Request Forgeries Web Vulnerabilities (Exploitation) Toolkit

via Hackers Online Club (HOC) http://bit.ly/1KKgWVl

Les 50 décisions clés du droit de l’Internet

L’équipe Legalis.net, site incontournable, vient de publier l’ouvrage « Les 50 décisions clés du droit de l’Internet« , une...

via Data Security Breach http://bit.ly/1UKq9S8

Hackito Ergo Sum 2015

Hackito Ergo Sum 2015 is being setup one more time! Created by /tmp/lab and for hacking & security passionate researchers, HES 2015 will be the 6th edition of this conference. […]

via /tmp/lab http://bit.ly/1XWMMlA

Les failles de sécurité en hausse de 10% au 1er semestre 2015

via Actualités securite http://bit.ly/1UGUtgu

Un ransomware sous Android modifie le code PIN

via Actualités securite http://bit.ly/1UGUt0f

Gemalto publie les résultats de l'étude Breach Level Index du 1er semestre 2015 portant sur la sécurité numérique

Gemalto publie les résultats de l'étude Breach Level Index pour le premier semestre 2015, qui fait apparaître 888 failles de données signalées au cours de cette période, compromettant ainsi 246 millions d'enregistrements de données dans le monde. Les failles de sécurité ont augmenté de 10 % par rapport au premier semestre de l'année précédente, alors que le nombre d'enregistrements de données compromis diminuait de 41 % au cours des six premiers mois. Cette nette amélioration peut être attribuée à la (...) - Investigations

via Global Security Mag Online http://bit.ly/1Fzoraf

A Network Analysis of a Web Server Compromise

Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From the initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is assumptions about the attackers’ reasons are avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.

via SANS Information Security Reading Room http://bit.ly/1Oet8xc

Skype : surveillance des conversations échangées sur internet

Les logiciels de communication audiovisuelle, tel que le logiciel Skype, permettent de passer des appels téléphoniques et vidéo via Internet. Pour lutter contre la criminalité et notamment contre le terrorisme, l’écoute de ces conversations audiovisuelles est devenue un enjeu majeur au même titre que l’interception des appels téléphoniques ou des …

via Lexing Alain Bensoussan http://bit.ly/1icgfI6

L’expertise judiciaire informatique : enjeux et méthodologie

Petit-déjeuner du 7 octobre 2015 « L’expertise judiciaire informatique : enjeux et méthodologie » – Benoit de Roquefeuil et Marie-Adélaïde de Montlivault-Jacquot  animeront un petit-déjeuner débat consacré à l’expertise judiciaire informatique. L’expertise se situe au cœur du contentieux technique. En matière informatique, l’expertise est donc une phase quasiment incontournable pour trouver une solution au différend opposant …

via Lexing Alain Bensoussan http://bit.ly/1UG2zkk

Courrier électronique : statut et valeur probatoire

La question du statut juridique du courrier électronique, de sa valeur probatoire ou de sa force contraignante est souvent posée (1). On se demande d’ailleurs pourquoi, tant il existe aujourd’hui d’articles de code, de lois ou de textes de nature règlementaire qui font état ou renvoient à l’usage d’un courrier …

via Lexing Alain Bensoussan http://bit.ly/1icgfI5

Improving Security for Bugzilla

The Bugzilla bug tracker is a major part of how we accomplish our mission of openness at Mozilla. It’s a tool for coordinating among our many contributors, and a focal point for community interactions. While most information in Bugzilla is … Continue reading

via Mozilla Security Blog http://mzl.la/1ETM4z6

U.S. Department of Defense issues interim rule imposing network penetration reporting requirements and addressing cybersecurity of cloud computing services

On August 25, 2015, the Department of Defense (“DoD”) issued interim rule DARS-2015-0039, which amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement a network penetration reporting requirement for contractors. Additionally, this rule implements DoD policy on the purchase of cloud computing services. The interim rule requires that all DoD cloud contractors and subcontractors … Continue reading

via Data Protection Report http://bit.ly/1hVZvUP

GS DAYS : Appel à communication de la 8ème édition - 7 avril 2016

« Convaincre sans contraindre »*, telle est la devise de cet événement sur la sécurité de l'information. L'objectif des GS Days, Journées francophones de la sécurité, est d'établir le dialogue entre le monde de la technique (administrateurs, experts sécurité), les RSSI, DSI et les décideurs. Ce colloque, exclusivement en français, proposera, dans un même espace, plusieurs cycles de conférences et de démonstrations d'exploitation de faille informatique, sous un angle technique, organisationnel et juridique. (...) - Les événements de Global Security Mag / primetime

via Global Security Mag Online http://bit.ly/1ETM4iH

Mozilla changes security model to bolster extension protection - SC Magazine UK

via SC Magazine UK http://bit.ly/1NTqWsD

How security flaws work: the buffer overflow

Starting with the 1988 Morris Worm, this flaw has bitten everyone from Linux to Windows.

via Ars Technica http://bit.ly/1MM92cC

sonar - A Framework for Scanning and Exploiting Internal Hosts With a Webpage http://bit.ly/1MJowhw #appsec #appsecfr #hack #lk

sonar - A Framework for Scanning and Exploiting Internal Hosts With a Webpage http://bit.ly/1MJowhw #appsec #appsecfr #hack #lk #blog

— Sebastien Gioria (@SPoint) August 24, 2015

from Twitter https://twitter.com/SPoint

August 24, 2015 at 10:22PM
via IFTTT

Docker Toolbox

One of the new features introduced in Docker 1.8 is Docker Toolbox. What is this toolbox? The Docker Toolbox is an installer to quickly and easily install and setup a Docker environment on your computer. Available for both Windows and Mac, the Toolbox installs Docker Client, Machine, Compose (Mac only), Kitematic and VirtualBox. Docker Toolbox ...

via Java Code Geeks http://bit.ly/1J3jiIL

Microsoft Pushes Emergency Patch for IE

Microsoft today released an out-of-band software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).

via Security Bloggers Network http://bit.ly/1NtbQvV

Hacking communities in the Deep Web - InfoSec Institute

Introduction The role of hackers has changed over the years, in the past these professionals were viewed as dangerous criminals that needed to be kept at a

See it on Scoop.it, via Advanced Threats,Intelligence Technology,CyberSecurity

via Advanced Threats,Intelligence Technology,CyberSecurity | Scoop.it http://bit.ly/1J3jgk9

Comment activer les extensions que Firefox n’approuve pas ?

Quand mon Firefox beta s'est mis à jour vers la version 41, je n'ai pas tout de suite tilté qu'il me manquait quelques petites choses... En effet, sans vraiment prévenir, Firefox m'a bloqué de force certaines extensions (un bon paquet à vrai dire) car elles n'ont pas été "approuvées" par Firefox. Bon, pour être honnête > Lire la suite

Cet article merveilleux et sans aucun égal intitulé : Comment activer les extensions que Firefox n’approuve pas ? ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents.

via Korben http://bit.ly/1USiEFp

Was the Ashley Madison Database Leaked?

Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com -- a site that facilitates cheating and extramarital affairs -- has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.

via Krebs on Security http://bit.ly/1PyMv2W

Cloud security controls series: Encrypting Data in Transit

Whether organizations store and process data on-premise, in the cloud, or use a combination of both, it is important that they protect that data when it is transmitted across networks to information workers, partners and customers. For example, when an administrator is using the Microsoft Azure Portal to manage the service for their organization. The data transmitted between the device the administrator is using and the Azure Portal needs to … Read more »

via Cyber Trust Blog » Cybersecurity http://bit.ly/1Njw3VW

Say hello to the Enigma conference

via Google Research Blog http://bit.ly/1Njw1x6

Un développeur découvre deux failles zero-day dans OS X

via Actualités securite http://bit.ly/1PxSbKw

Google livre un 2ème correctif pour la faille Stagefright - Le Monde Informatique

via Google livre un 2ème correctif pour la faille Stagefright - Le Monde Informatique http://bit.ly/1PcYCSd

ZDI@10: 10 fascinating facts about 10 years of bug hunting

Over the last ten years, HP’s Zero Day Initiative (ZDI) established itself as the world’s premier vendor-agnostic bug bounty program. During this time, the ZDI released over 2,000 advisories and counting. Let’s look at some of the more interesting facts gleaned from a decade of running the world’s largest vendor-agnostic bug bounty program.

via HP Security Research Blog articles http://bit.ly/1fbgjFC

Appel à Communication : Conférence CLUSIF organisée le mercredi 14 octobre 2015 à 16h - Le RSSI : Quelle valeur ajoutée et quel rôle dans l'organisation

La prise de conscience puis l'appropriation de la problématique « sécurité de l'information » est aujourd'hui de plus en plus présente dans les entreprises. Celle-ci peut être apportée par différents biais : un besoin de conformité indispensable à l'obtention d'un marché, la conscience de la possession de données confidentielles, un besoin de disponibilité essentiel sur certaines ressources, une expérience vécue de vol de données, etc. Dans le même temps, il ne s'agit pas pour autant de ralentir l'évolution (...) - Événements

via Global Security Mag Online http://bit.ly/1fbg0dT

Après la Jeep Cherokee, une Corvette contrôlée à distance

via Actualités securite http://bit.ly/1JWDct5

Microsoft livre le 1er Patch Tuesday de l'ère Windows 10

via Actualités securite http://bit.ly/1L7KAkh

Oracle retire un billet critiquant les rapporteurs de bugs

via Actualités securite http://bit.ly/1L7KAkf

Lenovo encore épinglé pour avoir préinstallé un logiciel

via Actualités securite http://bit.ly/1NcwEYk

Firefox exploit found in the wild

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. … Continue reading

via Mozilla Security Blog http://mzl.la/1Ni1zjO

Black Hat 2015: Thunderstrike 2, le ver qui plombe les Mac de proche en proche

En combinant une série de failles sur Mac OS X, des chercheurs ont créé pour la première fois un ver capable d'infecter de proche en proche l'EFI Boot ROM des ordinateurs d'Apple. Heureusement, un patch récent neutralise en partie cette attaque. Pour l'instant...










via 01net. Actualités http://bit.ly/1IOxB2P

Voiture connectée et cybersécurité : le secteur automobile prend-il la bonne route ?

via Actualités securite http://bit.ly/1W0Nz44

Google ne veut pas appliquer le droit à l'oubli au niveau mondial

Sommé par la CNIL de déréférencer des contenus sur toutes les extensions de son moteur de recherche, la firme refuse et n'entend observer le droit à l'oubli que sur ses pages européennes.










via 01net. Actualités http://bit.ly/1g7KRZz

Le Cloud a failli tuer ma petite entreprise

Un entrepreneur raconte sa descente aux enfers après avoir basculé toute son activité dans le Cloud. Une aventure plutôt terrifiante qui mérite d'être partagée.










via 01net. Actualités http://bit.ly/1g7FzgH

Google defies French global 'right to be forgotten' ruling

Google is set to defy a French data authority ruling on the global removal of right to be forgotten links.

via Naked Security - Sophos http://bit.ly/1UfhCD4

"ASP.NET MVC: Data Validation Techniques"

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the data validation features built into the ASP.NET MVC framework.Data validation is one of the most important aspects of web app development. Investing effort into data validation makes your applications more robust and significantly reduces potential loss of data integrity.Out of the box, the ASP.NET MVC framework provides full support of special components and mechanisms on both the client side and the server side.Client-Side ValidationEnabled Unobtrusive JavaScript validation allows ASP.NET MVC HTML helper extensions to generate special markup to perform validation on the client side, before sending data to the server. The feature is controlled by the "UnobtrusiveJavaScriptEnabled" Boolean setting in the section.Let's have a look at the Register page from the SecureWebApp ...

via AppSec Street Fighter - SANS Institute http://bit.ly/1UemyIm

"Cloud Encryption Options - Good for Compliance, Not Great for Security"

Guest Editor: Today's post is from David Hazar. David is a security engineer focusing on cloud security architecture, application security, and security training. In this post, David will take a look at the encryption options for applications hosted in the cloud.Over the last decade, due to new compliance requirements or contractual obligations, many, if not most, companies have been implementing encryption to better protect the sensitive data they are storing and to avoid having to report a breach if an employee loses a laptop or if backup media is lost in the mail. One of the more popular ways of adding this additional protection is to implement some form of volume-based, container-based, or whole-disk encryption. It would be difficult to argue that there is an easier, more cost-effective method to achieve compliance than to utilize this type of encryption. Also, although there are potential weaknesses to some implementations of the technology, it is pretty ...

via AppSec Street Fighter - SANS Institute http://bit.ly/1UemAjx

La faille Android qui permet d’infecter un téléphone avec un simple MMS

On dit souvent que le plus gros facteur de risque pour choper un virus se situe entre le clavier et la chaise. En effet, aller sur des sites obscurs, télécharger des trucs chelous, ouvrir des pièces jointes en toute confiance... Non, je le sais, VOUS NE FAITES PAS ÇA !! Et c'est bien ! Pourtant > Lire la suite

Cet article merveilleux et sans aucun égal intitulé : La faille Android qui permet d’infecter un téléphone avec un simple MMS ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents.

via Korben http://bit.ly/1IwrBjw

United Airlines Hacked by Same Chinese Group Behind The OPM Breach

By Waqas

From cars to trains from computers to planes, anything connected with

This is a post from HackRead.com Read the original post: United Airlines Hacked by Same Chinese Group Behind The OPM Breach

via HackRead http://bit.ly/1Smu3j5

Security Sense: If You Program It, They Will Break It: How Connecting Things Can Make Them Worse

We seem to be connecting everything these days, but is it improving them or could it actually be compromising their very function? read more

via Security Bloggers Network http://bit.ly/1Icd9tg

Doing Terrible Things To Your Code

In 1992, I thought I was the best programmer in the world. In my defense, I had just graduated from college, this was pre-Internet, and I lived in Boulder, Colorado working in small business jobs where I was lucky to even hear about other programmers much less meet them.

I

via Coding Horror http://bit.ly/1DUv5XA

The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

via Dark Reading: http://ubm.io/1KuQWg7

La Zero Day Initiative révèle 4 failles dans Internet Explorer

via Actualités securite http://bit.ly/1KuQWg4

Tres interessante analyse de la cour de cassation.... "Un email constitue une commande ferme" #droit #lk http://bit.ly/1KrdgnW

Tres interessante analyse de la cour de cassation.... "Un email constitue une commande ferme" #droit #blog #lk http://bit.ly/1KrdgnW

— Sebastien Gioria (@SPoint) July 26, 2015

from Twitter https://twitter.com/SPoint

July 26, 2015 at 09:34AM
via IFTTT

Oh no!!!! On a hacke ma voiture !! http://bit.ly/1CUhAfI #appsec #appsecfr #lk #security #hack #connectedcars

Oh no!!!! On a hacke ma voiture !! http://bit.ly/1CUhAfI #appsec #appsecfr #blog #lk #security #hack #connectedcars

— Sebastien Gioria (@SPoint) July 24, 2015

from Twitter https://twitter.com/SPoint

July 24, 2015 at 03:19PM
via IFTTT

Internet Explorer : ne l'utilisez pas, il contient quatre failles non patchées

Microsoft n'ayant pas réagi après le délai de 120 jours, la Zero Day Initiative vient de publier quatre failles de sécurité dans Internet Explorer qui ne sont toujours pas corrigées. Il est conseillé de laisser IE de côté jusqu'au patch.










via 01net. Actualités http://bit.ly/1IivDHM

Two-Factor Authentication (2FA) using OpenOTP

This guide is for security-aware individuals who wish to learn the theory behind user- based two-factor (or multifactor) authentication systems, also known as “2FA”. Here we will discuss how 2FA systems work, and how to implement 2FA into a small, virtualized environment for testing purposes. By implementing 2FA, the hope is to enhance the cyber toolkit for administrators who wish to help mitigate the effects of user password theft by cyber intrusion. By following the steps outlined here, the reader should be able to comfortably configure a user account already existing in a Microsoft® Active Directory® (AD) environment to use the Google Authenticator application on his/her smartphone to authenticate with AD username and password+token for remote VPN access.

via SANS Information Security Reading Room http://bit.ly/1LApOfF

La nouvelle délibération Cnil sur la géolocalisation des salariés

Face à l’évolution des pratiques en matière de géolocalisation des véhicules utilisés par les salariés, la Cnil a adopté une nouvelle délibération n°2015-165 du 4 juin 2015 (1). Cette norme vient compléter la norme du 16 mars 2006 relatives aux conditions permettant de bénéficier du régime de la déclaration simplifiée. Les …

via Lexing Alain Bensoussan http://bit.ly/1LApOfC

Bug in latest version of OS X gives attackers unfettered root privileges

Released proof-of-concept exploit code could make existing Mac attacks meaner.

via Ars Technica http://bit.ly/1g7lFTL

Google, the Wassenaar Arrangement, and vulnerability research

via Google Online Security Blog http://bit.ly/1TPqrU9

Akamai met en garde contre une résurgence des attaques DDoS par réflexion au moyen d'un protocole de routage révolu

Akamai Technologies, Inc. publie ce jour, via PLXsert (Prolexic Security Engineering & Research Team), une nouvelle alerte de cybersécurité. La menace concerne l'utilisation croissante d'un protocole de routage révolu, RIPv1 (Routing Information Protocol), pour des attaques par réflexion et par amplification. Qu'est-ce que RIPv1 ? RIPv1 est un moyen rapide et facile de partager de manière dynamique des informations de routage sur un petit réseau multi-routeur. Une requête type est envoyée par (...) - Malwares

via Global Security Mag Online http://bit.ly/1KkeYre

Mobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

via Dark Reading: http://ubm.io/1MHzrGv

Hacking Team Detection Tools Released By Rook, Facebook

Organizations get help keeping up with Hacking Team threats, and Microsoft releases an out-of-band patch for a new Hacking Team 0-day.

via Dark Reading: http://ubm.io/1MHzrqf

Cloud security controls series: Multi-factor Authentication

Recently I wrote an article on the risk of leaked credentials in which I discussed how credentials are stolen in bulk directly from organizations’ websites. As illustrated in Figure 1, during the eight months between November 2013 and June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a … Read more »

via Cyber Trust Blog » Cybersecurity http://bit.ly/1CPfbTC