lundi 19 octobre 2015

Curation de quelques liens cyber-sécurité pour la semaine 41


 Voici une liste de liens collectés la semaine 41 autour de la cyber-sécurité. 

Bonne lecture


Sécurité applicative

Un document (polémique ?) sur les détections des différents outils de revue de code commerciaux vs open-source : http://bit.ly/1htCic0


Sécurité IOT
Quelques regles de bons sens utiles a rappeler dans le cadre de la sécurité des Objets Connectés : http://bit.ly/1WMQhcL

Pour rappel, il existe un projet OWASP Top10 sur les IoT : https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

Sécurité des objets connectés de santé:

MyFox devient compatible IFTTT:



Sécurité mobile

Dans la série, je continue avec les malware IOS : iPhone : YiSpecter, un malware chinois particulièrement vicieux http://bit.ly/1GvOCPk

Databreach :

L'université de Lyon encore piratée  : http://bit.ly/1JWbOXn

4,6 Millions de données dans la nature chez ScottRade (société dans le Retail): http://www.krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-customers/




Droit / Réglementation :

L'élément important de cette semaine s'appelle le Safe Harbor :
  • La Justice européennne bloque le transfert des données privées de l'UE vers les US  : http://bit.ly/1L5PCvJ 
  • La position de la CNIL sur ce sujet du Safe Harbor :

Amazon a réagit sur l'annulation de l'accord Safe Harbor : http://amzn.to/1NwAJbu



ANSSI :

Dans le cadre du mois de la cybersécurité , Le CigRef et l'ANSSI ont lancé leur campagne de sensibilisation : http://www.hack-academy.fr/home

Des documents pédagogiques pour les enseignants de la part de l'ANSSI (CyberEdu): http://bit.ly/1N2GY3U

Le document annuel sur la cyber-résilience de l'Internet est en ligne : http://bit.ly/1Ns7GpD



Cloud :
Cette semaine dans le Cloud, il y avait la conférence Amazon re:Invent, avec au programme pas mal de choses orientées sécurité :


Et aussi la sortie du WAF Amazon AWS : https://aws.amazon.com/fr/blogs/aws/new-aws-waf/


Malware/Hack

Twittor, une backdoor utilisant twitter pour le commande et contrôle : http://bit.ly/1jV4pCB

Vulnérabilités
Mutliples vulnérabilités dans Google Nexus : http://bit.ly/1OmoiO1


Elevation de privilèges dans le noyau Linux Ubuntu : http://bit.ly/1Mf4XtS




Outils

Fournisseurs

CyberArk acquiert Viewfinity http://bit.ly/1FTB7hN  spécialiste de la gestion d'applications de contrôle et de la restriction des accès administrateurs pour Windows, pour compléter son offre de sécurisation des comptes à privilèges.
Marché Sécurité FR

LEXSI publie panorama sur les principales défaillances des réseaux SCADA : http://bit.ly/1jpUPqY

FrenchTech

Dans le cadre des projets d'investissements d'avenir, l'Etat débloque 10M€ pour créer des technologies protégeant la vie privée http://bit.ly/1L5PA6R

vendredi 16 octobre 2015

Hack Academy : se protéger des vols de mots de passe

Hack Academy : se protéger des vols de mots de passe

Jenny, la jolie québécoise avec son chewing-gum, est spécialisée dans le vol de mots de passe, ou plus précisément dans l’art de deviner votre mot de passe. Rappelez-vous que grâce à cela elle peut accéder à  vos données personnelles,  vos photos, votre compte bancaire, … Tout cela vaut bien un effort pour les conserver bien au chaud et hors de portée des cybercriminels. Voici mes conseils pour éviter de subir les attaques de Jenny !

3 conseils pour des mots de passe en béton

Choisir un mot de passe ne s’improvise pas. Voici les 3 conseils que je fais à mes proches et collègues pour des mots de passe en béton : 

 

  1. Mon premier conseil est d’utiliser un mot de passe différent par site – il est essentiel de ne pas utiliser le même mot de passe sur plusieurs sites. Un mot de passe, c’est comme une brosse à dents, cela ne se partage pas !
  2. Le deuxième conseil est d’avoir des mots de passe avec un nombre important de caractères. Un mot de passe comme « LaVoitureVerteMangeDesChouxALaCreme » est un mot de passe qui résistera particulièrement aux attaques. Après, si un site limite le nombre de caractères autorisés, c’est un signe qui ne trompe pas car cela peut masquer des problèmes ; si c’est le cas, rabattez-vous sur le 3ème conseil.
  3. Le troisième et dernier conseil est d’intégrer dans votre mot de passe quelques caractères spéciaux (genre « !?$([# ») ici et là. De même, jonglez avec des minuscules/majuscules et insérez des chiffres.

 

Si vous deviez ne prendre en compte que deux conseils, mettez la gomme sur le 1er (on ne partage pas sa brosse à dents – ses mots de passe non plus) et le second (des mots de passe particulièrement longs sont très robustes).

Si vous ne faites qu’une chose, voici laquelle :

Avant toute autre chose, la priorité est de sécuriser l’accès à vos emails/boîte aux lettres. Car qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos comptes.

Donc, si vous ne devriez faire qu’une chose, c’est :

  • définir un mot passe particulièrement long ou complexe pour votre boite aux lettres
  • ne l’utilisez sur aucun autre site

Faites-le maintenant. N’attendez pas de voir arriver Jenny ou un autre cybercriminel sans scrupules ! Rappelez-vous : qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos autres comptes sur les réseaux sociaux, etc…

Le coffre-fort à mots de passe et l’authentification à deux facteurs

Mais comment retenir un mot de passe unique, long et complexe pour chaque site ? La réponse est que c’est tout simplement impossible. Et puis de toute façon, personne n’ira vous demander de vous souvenir de près d’une centaine de mots de passe différents ! Car oui, la réponse est ailleurs : il existe des logiciels spéciaux appelés « coffres forts à mot de passe » qui font merveilleusement bien ce boulot à votre place : vous n’avez qu’à vous souvenir d’un seul et unique mot de passe (particulièrement complexe et que vous ne saisissez sur aucun site) pour ouvrir votre coffre-fort et accéder ainsi à vos mots de passe.

Mon logiciel préféré de « coffre-fort à mots de passe » c’est Keepass. Mais il y a aussi des services en lignes comme DashLane, 1Password pour ne citer qu’eux..

Quand cela est proposé par le service en ligne, il est possible de remplacer votre mot de passe par un code à usage unique (ce sont ces mots de passe qui changent toutes les 30 secondes) ou que ce code à usage unique soit demandé s’il détecte une connexion depuis un périphérique qu’il ne connaît pas déjà. Le plus souvent, il s’agit d’installer une application sur votre Smartphone et le tour est joué. Les grands services en ligne le proposent gratuitement – il suffit juste de penser à l’activer ! Pour savoir si votre service préféré supporte le 2FA (2-Factors Authentication – Authentification à 2 facteurs ou éléments), allez jeter un œil sur ce site : http://bit.ly/1MtaLju

Eviter de donner le bâton pour se faire battre par les réseaux sociaux

Au-delà de ces quelques conseils, il reste important de contrôler les informations personnelles vous concernant sur les réseaux sociaux. Car même si Willy - un autre candidat de la Hack Academy - n’utilise pas d’informations personnelles récupérées sur les réseaux pour lancer ses attaques de phishing, ces informations personnelles sont de l’or de en barre pour des attaques ciblées. Et puis, conserver sa vie privée vraiment privée, c’est mieux.

Relevez le défi !

Ah, j’allais oublier ! Même si les logiciels antivirus laissent parfois passer certaines menaces, ils sont nécessaires et doivent être régulièrement mis à jour. Il ne s’agirait pas qu’un logiciel espion installé sur votre machine vienne récupérer votre « MotdepasseMagiquequeJennynepourraPasDeviner! »

Allez, venez sur la Hack Academy et relevez le défi de Jenny !


Jean-François (aka Jeff) Audenard.



via http://oran.ge/1MtaLjw

Mozilla Releases Security Update for Firefox

Original release date: October 15, 2015

Mozilla has released Firefox 41.0.2 to address a security vulnerability. Exploitation of this vulnerability may allow a remote attacker to obtain sensitive information from an affected system.

US-CERT encourages users and administrators to review Mozilla Security Advisory 2015-115 and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.




via US-CERT Current Activity http://1.usa.gov/1GJCaLY

mardi 13 octobre 2015

Le gouvernement américain renonce à ses backdoors légales

La semaine dernière devant le Sénat américain, le directeur du FBI a confié qu’il ne demanderait pas de texte venant encadrer la mise en place de portes dérobées pour les acteurs du monde de l’IT.

via ZDNet actualites http://bit.ly/1Lsbnt6

Sécurité : Samsung ajoute la brique Cryptosmart à Knox

L'outil, développé par le français Ercom, sécurise les échanges voix/données, et est particulièrement utilisée dans les entreprises sensibles et par les Etats.

via ZDNet actualites http://bit.ly/1juYmUJ

#USBKiller v2.0. Attention a vos ports USB….. http://bit.ly/1REpiNE via @Korben #lk


from Twitter https://twitter.com/SPoint

October 13, 2015 at 02:15PM
via IFTTT

OWASP #ASVS v3.0 est disponible au téléchargement #appsec #appsecfr #owasp #security #securecoding http://bit.ly/1QnfDu6 #lk #veille


from Twitter https://twitter.com/SPoint

October 13, 2015 at 11:17AM
via IFTTT

lundi 12 octobre 2015

Bug bounty avec des moreceaux de @korben dedans... http://bit.ly/1hAiwvu #appsec #appsecfr #lk #veille


from Twitter https://twitter.com/SPoint

October 12, 2015 at 05:29PM
via IFTTT

How hackers can access iPhone contacts and photos without a password

Once again, fully patched iPhone lock screens can be bypassed with a few keystrokes.

via Ars Technica » Risk Assessment http://bit.ly/1LJzcie

Apple removes several apps that could spy on encrypted traffic

Third-party root certificates could man-in-the-middle HTTPS connections.

via Ars Technica » Risk Assessment http://bit.ly/1jrnfkh

SHA1 algorithm securing e-commerce and software could break by year’s end

Researchers warn widely used algorithm should be retired sooner.

via Ars Technica » Risk Assessment http://bit.ly/1OtvVUy

samedi 10 octobre 2015

Twittor – Backdoor Using Twitter For Command & Control



via Darknet - The Darkside http://bit.ly/1jV4pCB

Customer Update—AWS and EU Safe Harbor

Recently, the European Court of Justice determined that the 15-year-old US-EU Safe Harbor framework is no longer valid for the transfer of personal data from the European Economic Area (EEA) to the US.

At AWS, we know customers care deeply about privacy and data security; we optimize our work to get these issues right for our customers around the world. Today, we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data whether they are established in Europe or a global company operating in the EEA. For additional information, please visit AWS EU Data Protection FAQ.

For customers not looking to transfer personal data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS, such as:

  • Customers maintain ownership of their customer content and select which AWS services process, store, and host their customer content.
  • Customers determine where their customer content will be stored, allowing them to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt.
  • Customers choose the secured state of their customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.

For additional information, please visit AWS Privacy and Data Security FAQ.

At AWS, customer trust is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption.

- Steve



via AWS Security Blog http://amzn.to/1NwAJbu

vendredi 9 octobre 2015

How do open source static analysis tools stack up against commercial tools?

There are many static analysis tools that can be used to check an application for quality and security issues. Code Dx currently integrates with 24 of them. There’s a mix of both commercial and freely available tools. Many of the...

The post How do open source static analysis tools stack up against commercial tools? appeared first on .



via http://bit.ly/1htCic0

Le Cesin s'inquiète pour la protection des données dispersées et transformées



via http://bit.ly/1JWbPdL

Le Cigref et l'ANSSI veulent que les DSI se préoccupent de la sécurité



via http://bit.ly/1JWbMPe

Fin du transfert des données privées vers les US, quelles alternatives pour les entreprises



via Actualités securite http://bit.ly/1JWbOXo

jeudi 8 octobre 2015

Now Available: New AWS Security Training Classes

Today we launched a new AWS training curriculum on security. The two new classes made available today are designed to help you meet your cloud security objectives under the AWS Shared Responsibility Modelby showing you how to create more secure AWS architectures and solutions and address key compliance requirements.

Here’s a closer look at the new training classes:

  • AWS Security Fundamentals: This free 3-hour online class is designed to introduce you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. The class is meant primarily for security professionals with little or no working knowledge of AWS and also addresses security-related compliance protocols, risk management strategies, and procedures for auditing AWS security infrastructure.
  • Security Operations on AWS: This 3-day, classroom-based deep dive covers security features of key AWS services and AWS best practices for securing data and systems. You’ll learn about regulatory compliance standards and use cases for running regulated workloads on AWS. Hands-on practice with AWS security products and features will help you take your security operations to the next level.

Visit AWS Training to learn more about the new security classes and find a class near you. Have feedback for us? Leave a comment below.

- Maureen



via AWS Security Blog http://amzn.to/1hsnSJc

Learn About the Rest of the Security and Compliance Track Sessions Being Offered at re:Invent 2015

Previously, I mentioned that the re:Invent 2015 Security & Compliance track sessions had been announced, and I also discussed the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.

Today, I will highlight the remainder of the sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent 2015, you can add these sessions to your schedule now. If you won’t be attending re:Invent in person this year, keep in mind that all sessions will be available on YouTube (video) and SlideShare (slide decks) after the conference.

Auditing

SEC314: Full Configuration Visibility and Control with AWS Config

With AWS Config, you can discover what is being used on AWS, understand how resources are configured and how their configurations changed over time—all without disrupting end-user productivity on AWS. You can use this visibility to assess continuous compliance with best practices, and integrate with IT service management, configuration management, and other ITIL tools. In this session, AWS Senior Product Manager Prashant Prahlad will discuss:

  • Mechanisms to aggregate this deep visibility to gain insights into your overall security and operational posture.
  • Ways to leverage notifications from the service to stay informed, trigger workflows, or graph your infrastructure.
  • Integrating AWS Config with ticketing and workflow tools to help you maintain compliance with internal practices or industry guidelines.
  • Aggregating this data with other configuration management tools to move toward a single source of truth solution for configuration management.

This session is best suited for administrators and developers with a focus on audit, security, and compliance.

SEC318: AWS CloudTrail Deep Dive

Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn from AWS Senior Product Manager Sivakanth Mundru how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.

We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files.

SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events by Using Apache Spark on Amazon EMR

Do you want to analyze AWS CloudTrail events within minutes of them arriving in your Amazon S3 bucket? Would you like to learn how to run expressive queries over your CloudTrail logs? AWS Senior Security Engineer Will Kruse will demonstrate Apache Spark and Apache Spark Streaming as two tools to analyze recent and historical security logs for your accounts. To do so, we will use Amazon Elastic MapReduce (EMR), your logs stored in S3, and Amazon SNS to generate alerts. With these tools at your fingertips, you will be the first to know about security events that require your attention, and you will be able to quickly identify and evaluate the relevant security log entries.

DDoS

SEC306: Defending Against DDoS Attacks

In this session, AWS Operations Manager Jeff Lyon and AWS Software Development Manager Andrew Kiggins will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:

  • DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
  • What AWS does to protect our services from these attacks.
  • How this all relates to the AWS Shared Responsibility Model.

Incident Response

SEC308: Wrangling Security Events in the Cloud

Have you prepared your AWS environment for detecting and managing security-related events? Do you have all the incident response training and tools you need to rapidly respond to, recover from, and determine the root cause of security events in the cloud? Even if you have a team of incident response rock stars with an arsenal of automated data acquisition and computer forensics capabilities, there is likely a thing or two you will learn from several step-by-step demonstrations of wrangling various potential security events within an AWS environment, from detection to response to recovery to investigating root cause. At a minimum, show up to find out who to call and what to expect when you need assistance with applying your existing, already awesome incident response runbook to your AWS environment. Presenters are AWS Principal Security Engineer Don “Beetle” Bailey and AWS Senior Security Consultant Josh Du Lac.

SEC316: Harden Your Architecture with Security Incident Response Simulations (SIRS)

Using Security Incident Response Simulations (SIRS—also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, AWS Senior Technical Program Manager Jonathan Miller and AWS Global Security Architect Armando Leite will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

Key Management

SEC301: Strategies for Protecting Data Using Encryption in AWS

Protecting sensitive data in the cloud typically requires encryption. Managing the keys used for encryption can be challenging as your sensitive data passes between services and applications. AWS offers several options for using encryption and managing keys to help simplify the protection of your data at rest. In this session, AWS Principal Product Manager Ken Beer and Adobe Systems Principal Scientist Frank Wiebe will help you understand which features are available and how to use them, with emphasis on AWS Key Management Service and AWS CloudHSM. Adobe Systems Incorporated will present their experience using AWS encryption services to solve data security needs.

SEC401: Encryption Key Storage with AWS KMS at Okta

One of the biggest challenges in writing code that manages encrypted data is developing a secure model for obtaining keys and rotating them when an administrator leaves. AWS Key Management Service (KMS) changes the equation by offering key management as a service, enabling a number of security improvements over conventional key storage methods. Okta Senior Software Architect Jon Todd will show how Okta uses the KMS API to secure a multi-region system serving thousands of customers. This talk is oriented toward developers looking to secure their applications and simplify key management.

Overall Security

SEC201: AWS Security State of the Union

Security must be at the forefront for any online business. At AWS, security is priority number one. AWS Vice President and Chief Information Security Officer Stephen Schmidt will share his insights into cloud security and how AWS meets customers' demanding security and compliance requirements—and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, will share an industry perspective that's unique and invaluable for today's IT decision makers.

SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud

Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.

In this session, Sumo Logic VP of Security/CISO Joan Pepin will cover:

  • Key market drivers and advantages for leveraging cloud architectures.
  • Foundational design principles to guide strategy for securely leveraging the cloud.
  • The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
  • Real-world customer insights from organizations who have successfully adopted the "Defense in Depth" approach.

Session sponsored by Sumo Logic.

SEC203: Journey to Securing Time Inc's Move to the Cloud

Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy. 

Who should attend: InfoSec and IT management. Session sponsored by Alert Logic.

SEC303: Architecting for End-to-End Security in the Enterprise

This session will tell the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, AWS Principal Consultant Hart Rossman and AWS Principal Security Solutions Architect Bill Shinn will share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

SEC321: AWS for the Enterprise—Implementing Policy, Governance, and Security for Enterprise Workloads

CSC Director of Global Cloud Portfolio Kyle Falkenhagen will demonstrate enterprise policy, governance, and security products to deploy and manage enterprise and industry applications AWS.  CSC will demonstrate automated provisioning and management of big data platforms and industry specific enterprise applications with automatically provisioned secure network connectivity from the datacenter to AWS over layer 2 routed AT&T Netbond (provides AWS DirectConnect access) connection.  CSC will also demonstrate how applications blueprinted on CSC's Agility Platform can be re-hosted on AWS in minutes or re-instantiated across multiple AWS regions. CSC will also demonstrate how CSC can provide agile and consumption-based endpoint security for workloads in any cloud or virtual infrastructure, providing enterprise management and 24x7 monitoring of workload compliance, vulnerabilities, and potential threats.

Session sponsored by CSC.

SEC402: Enterprise Cloud Security via DevSecOps 2.0

Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented "Enterprise Cloud Security via DevSecOps" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.

We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit DevSecOps Leader Shannon Lietz and AWS Senior Security Consultant Matt Bretan to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps.

Security Architecture

SEC205: Learn How to Hackproof Your Cloud Using Native AWS Tools

The cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, autoscaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. And AWS provides powerful tools that enable users to confidently overcome these challenges.

In this session, CloudCheckr Founder and CTO Aaron Newman will discuss leveraging native AWS tools as he covers topics including:

  • Minimizing attack vectors and surface area.
  • Conducting perimeter assessments of your virtual private clouds (VPCs).
  • Identifying internal vs. external threats.
  • Monitoring threats.
  • Reevaluating intrusion detection, activity monitoring, and vulnerability assessment in AWS.

Session sponsored by CloudCheckr.

Enjoy re:Invent!

- Craig



via AWS Security Blog http://amzn.to/1hsnSIZ

Today's Security and Compliance Sessions at re:Invent 2015

If you are attending re:Invent 2015 in Las Vegas this week, you can attend any of the following Security & Compliance track sessions taking place today. 

Didn't register before the conference sold out? All sessions are being recorded and will be made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.  

Click any of the following links to learn more about a breakout session.

Compliance

DDoS

Incident Response

Identity and Access Management

Overall Security

Security Architecture

- Craig



via AWS Security Blog http://amzn.to/1jQrBSG

New Security Services Launched at AWS re:Invent 2015—Amazon Inspector, AWS WAF, and AWS Config Rules

Today at re:Invent, AWS announced two new security services and one new feature to help you improve your security posture and protect applications deployed on AWS.

Amazon Inspector is an automated security assessment service that helps minimize the likelihood of introducing security or compliance issues when deploying applications on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.

To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security compliance standards (such as PCI DSS) and vulnerability definitions. Examples include enabling remote root login, or including vulnerable software versions. These rules are regularly updated by AWS security researchers.

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over your web applications by defining customizable web security rules.

You can use AWS WAF to block common attack patterns, such as SQL injection or cross-site scripting, and create custom rules specific to your applications. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a fully featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

AWS WAF is generally available, and Amazon Inspector is available in preview. AWS also announced preview availability of AWS Config Rules.

AWS Config Rules is a feature of AWS Config, and is a new set of cloud governance capabilities that allow IT administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of prebuilt rules based on common AWS best practices or custom rules that you define. For example, you can ensure Amazon EBS volumes are encrypted, Amazon EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. Config Rules can continuously monitor your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT administrator can quickly determine when and how a resource went out of compliance.

These new services and new feature will make it significantly easier for you to assess your applications’ security, keep track of deviations from best practice, and protect your applications throughout the development lifecycle.

- Paul

 



via AWS Security Blog http://amzn.to/1FZrXjw

Inspecting Security and Privacy Settings of a Website

Inspecting the Content Security Policy of a Website Starting in Firefox 41, Mozilla provides a developer tool that allows users to inspect the security settings of a website. Using GCLI (Graphic Command Line Interface) a user can inspect the Content Security Policy (CSP) of a website. CSP is a security concept that allows websites to […]

via Mozilla Hacks - the Web developer blog http://mzl.la/1j9A3LX

CERTFR-2015-AVI-418 : Multiples vulnérabilités dans Google Nexus (06 octobre 2015)

De multiples vulnérabilités ont été corrigées dans Google Nexus. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une élévation de privilèges.

via Les derniers documents du CERT-FR. http://bit.ly/1OmoiO1

CERTFR-2015-AVI-419 : Vulnérabilité dans le noyaux Linux d'Ubuntu (06 octobre 2015)

Une vulnérabilité a été corrigée dans le noyau Linux d'Ubuntu. Elle permet à un attaquant de provoquer une élévation de privilèges.

via Les derniers documents du CERT-FR. http://bit.ly/1Mf4XtS

mercredi 7 octobre 2015

Identifier les assaillants : avant, pendant et après l'attaque…

Lorsque l'entreprise est sous le feu des pirates, elle cherche avant tout à limiter les dégâts, à protéger ses actifs et à faire cesser l'attaque afin de reprendre son activité au plus vite. Mais savoir précisément d'où vient l'attaque et qui en est l'auteur peut lui donner un avantage précieux. Qu'elle le fasse pendant l'attaque, après ou voire même avant (threat intelligence), l'entreprise ne peut plus faire l'autruche : elle doit connaître son ennemi, ses objectifs, ses moyens et ses méthodes. Jérôme Saiz, (...) - Investigations / ,

via Global Security Mag Online http://bit.ly/1jOtwqL

A billion Android phones are vulnerable to new Stagefright bugs

Stagefright 2.0 comes as Android users were still recovering from Stagefright 1.

via Ars Technica » Risk Assessment http://bit.ly/1YWHjvt

Patreon was warned of serious website flaw 5 days before it was hacked

Even worse: Thousands of other sites are making the same facepalm-worthy mistake.

via Ars Technica » Risk Assessment http://bit.ly/1L6dK1h

Scottrade breach exposes sensitive data for 4.6 million customers

Contrary to what company advises, users should change passwords immediately.

via Ars Technica » Risk Assessment http://bit.ly/1VDygjS

New Outlook mailserver attack steals massive number of passwords

Backdoor in Outlook Web Application operates inside target's firewall.

via Ars Technica » Risk Assessment http://bit.ly/1LykgmX

I’m no expert, but holy crap the hacking on Homeland was bad

"There’s a zero-day defect on this firewall."

via Ars Technica » Risk Assessment http://bit.ly/1KZKfjT

Trump Hotels payment system infected with malware

Claims "no forensic evidence" of theft of data but offers complimentary protection.

via Ars Technica » Risk Assessment http://bit.ly/1OlDfl7

The three golden rules for software security in the IoT | Information Age



via The three golden rules for software security in the IoT | Information Age http://bit.ly/1WMQhcL

This Secure Operating System Can Protect You Even if You Get Hacked

Hackers, Government Agencies and sophisticated malware, are collecting every piece of Digital data that we transmit through our Computers, Smartphones or Internet-enabled Gadgets. No matter how secure you think you might be, something malicious can always happen. Because, "With the right tools and Talent, a Computer is an open book." Many people ask, How to stay safe and secure online?


via The Hacker News http://bit.ly/1j7D8vW

New AWS Security Courses (Fundamentals & Operations)

It’s probably no surprise that information security is one of today’s most sought after IT specialties. It’s also deeply important to our customers and any company considering moving to the cloud. So, today we’re launching a new AWS Training curriculum focused on security. The curriculum’s two new classes are designed to help you meet your […]

via AWS Official Blog http://amzn.to/1LxR3IP

L'Etat débloque 10M€ pour créer des technologies protégeant la vie privée



via Actualités securite http://bit.ly/1L5PA6R

dimanche 4 octobre 2015

"ASP.NET MVC: Secure Data Transmission"

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will review secure data transmission in the ASP.NET MVC framework.Secure data transmission is a critical step towards securing our customer information over the web. In fact, many of our SoftServe applications are regulated by HIPAA, which has the following secure data transmission requirements:Client-server communication should be performed via secured channel (TLS/HTTPS)Client (front-end application) should not pass any PHI data in URL parameters when sending requests to the serverAll data transmission outside of the system should be performed via secure protocol (HTTPS, Direct Protocol, etc.)To satisfy this requirement, let's examine how to secure data transmission in an ASP.NET MVC application.Enable HTTPS DebuggingOne of my favorite ...

via AppSec Street Fighter - SANS Institute http://bit.ly/1YZRNdB
//Activation syntaxhilight