lundi 19 octobre 2015
vendredi 16 octobre 2015
Jenny, la jolie québécoise avec son chewing-gum, est spécialisée dans le vol de mots de passe, ou plus précisément dans l’art de deviner votre mot de passe. Rappelez-vous que grâce à cela elle peut accéder à vos données personnelles, vos photos, votre compte bancaire, … Tout cela vaut bien un effort pour les conserver bien au chaud et hors de portée des cybercriminels. Voici mes conseils pour éviter de subir les attaques de Jenny !
3 conseils pour des mots de passe en béton
Choisir un mot de passe ne s’improvise pas. Voici les 3 conseils que je fais à mes proches et collègues pour des mots de passe en béton :
- Mon premier conseil est d’utiliser un mot de passe différent par site – il est essentiel de ne pas utiliser le même mot de passe sur plusieurs sites. Un mot de passe, c’est comme une brosse à dents, cela ne se partage pas !
- Le deuxième conseil est d’avoir des mots de passe avec un nombre important de caractères. Un mot de passe comme « LaVoitureVerteMangeDesChouxALaCreme » est un mot de passe qui résistera particulièrement aux attaques. Après, si un site limite le nombre de caractères autorisés, c’est un signe qui ne trompe pas car cela peut masquer des problèmes ; si c’est le cas, rabattez-vous sur le 3ème conseil.
- Le troisième et dernier conseil est d’intégrer dans votre mot de passe quelques caractères spéciaux (genre « !?$([# ») ici et là. De même, jonglez avec des minuscules/majuscules et insérez des chiffres.
Si vous deviez ne prendre en compte que deux conseils, mettez la gomme sur le 1er (on ne partage pas sa brosse à dents – ses mots de passe non plus) et le second (des mots de passe particulièrement longs sont très robustes).
Si vous ne faites qu’une chose, voici laquelle :
Avant toute autre chose, la priorité est de sécuriser l’accès à vos emails/boîte aux lettres. Car qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos comptes.
Donc, si vous ne devriez faire qu’une chose, c’est :
- définir un mot passe particulièrement long ou complexe pour votre boite aux lettres
- ne l’utilisez sur aucun autre site
Faites-le maintenant. N’attendez pas de voir arriver Jenny ou un autre cybercriminel sans scrupules ! Rappelez-vous : qui prend le contrôle de votre boîte aux lettres pourra prendre le contrôle de vos autres comptes sur les réseaux sociaux, etc…
Le coffre-fort à mots de passe et l’authentification à deux facteurs
Mais comment retenir un mot de passe unique, long et complexe pour chaque site ? La réponse est que c’est tout simplement impossible. Et puis de toute façon, personne n’ira vous demander de vous souvenir de près d’une centaine de mots de passe différents ! Car oui, la réponse est ailleurs : il existe des logiciels spéciaux appelés « coffres forts à mot de passe » qui font merveilleusement bien ce boulot à votre place : vous n’avez qu’à vous souvenir d’un seul et unique mot de passe (particulièrement complexe et que vous ne saisissez sur aucun site) pour ouvrir votre coffre-fort et accéder ainsi à vos mots de passe.
Quand cela est proposé par le service en ligne, il est possible de remplacer votre mot de passe par un code à usage unique (ce sont ces mots de passe qui changent toutes les 30 secondes) ou que ce code à usage unique soit demandé s’il détecte une connexion depuis un périphérique qu’il ne connaît pas déjà. Le plus souvent, il s’agit d’installer une application sur votre Smartphone et le tour est joué. Les grands services en ligne le proposent gratuitement – il suffit juste de penser à l’activer ! Pour savoir si votre service préféré supporte le 2FA (2-Factors Authentication – Authentification à 2 facteurs ou éléments), allez jeter un œil sur ce site : http://bit.ly/1MtaLju
Eviter de donner le bâton pour se faire battre par les réseaux sociaux
Au-delà de ces quelques conseils, il reste important de contrôler les informations personnelles vous concernant sur les réseaux sociaux. Car même si Willy - un autre candidat de la Hack Academy - n’utilise pas d’informations personnelles récupérées sur les réseaux pour lancer ses attaques de phishing, ces informations personnelles sont de l’or de en barre pour des attaques ciblées. Et puis, conserver sa vie privée vraiment privée, c’est mieux.
Relevez le défi !
Ah, j’allais oublier ! Même si les logiciels antivirus laissent parfois passer certaines menaces, ils sont nécessaires et doivent être régulièrement mis à jour. Il ne s’agirait pas qu’un logiciel espion installé sur votre machine vienne récupérer votre « MotdepasseMagiquequeJennynepourraPasDeviner! »
Allez, venez sur la Hack Academy et relevez le défi de Jenny !
Jean-François (aka Jeff) Audenard.
Mozilla has released Firefox 41.0.2 to address a security vulnerability. Exploitation of this vulnerability may allow a remote attacker to obtain sensitive information from an affected system.
US-CERT encourages users and administrators to review Mozilla Security Advisory 2015-115 and apply the necessary update.
via US-CERT Current Activity http://1.usa.gov/1GJCaLY
mardi 13 octobre 2015
via ZDNet actualites http://bit.ly/1Lsbnt6
via ZDNet actualites http://bit.ly/1juYmUJ
from Twitter https://twitter.com/SPoint
October 13, 2015 at 02:15PM
OWASP #ASVS v3.0 est disponible au téléchargement #appsec #appsecfr #owasp #security #securecoding http://bit.ly/1QnfDu6 #lk #veille
from Twitter https://twitter.com/SPoint
October 13, 2015 at 11:17AM
lundi 12 octobre 2015
Bug bounty avec des moreceaux de @korben dedans... http://bit.ly/1hAiwvu #appsec #appsecfr #lk #veille
from Twitter https://twitter.com/SPoint
October 12, 2015 at 05:29PM
via Ars Technica » Risk Assessment http://bit.ly/1LJzcie
via Ars Technica » Risk Assessment http://bit.ly/1jrnfkh
via Ars Technica » Risk Assessment http://bit.ly/1OtvVUy
samedi 10 octobre 2015
Recently, the European Court of Justice determined that the 15-year-old US-EU Safe Harbor framework is no longer valid for the transfer of personal data from the European Economic Area (EEA) to the US.
At AWS, we know customers care deeply about privacy and data security; we optimize our work to get these issues right for our customers around the world. Today, we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data whether they are established in Europe or a global company operating in the EEA. For additional information, please visit AWS EU Data Protection FAQ.
For customers not looking to transfer personal data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS, such as:
- Customers maintain ownership of their customer content and select which AWS services process, store, and host their customer content.
- Customers determine where their customer content will be stored, allowing them to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt.
- Customers choose the secured state of their customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
For additional information, please visit AWS Privacy and Data Security FAQ.
At AWS, customer trust is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption.
via AWS Security Blog http://amzn.to/1NwAJbu
vendredi 9 octobre 2015
There are many static analysis tools that can be used to check an application for quality and security issues. Code Dx currently integrates with 24 of them. There’s a mix of both commercial and freely available tools. Many of the...
The post How do open source static analysis tools stack up against commercial tools? appeared first on .
jeudi 8 octobre 2015
Today we launched a new AWS training curriculum on security. The two new classes made available today are designed to help you meet your cloud security objectives under the AWS Shared Responsibility Model, by showing you how to create more secure AWS architectures and solutions and address key compliance requirements.
Here’s a closer look at the new training classes:
- AWS Security Fundamentals: This free 3-hour online class is designed to introduce you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. The class is meant primarily for security professionals with little or no working knowledge of AWS and also addresses security-related compliance protocols, risk management strategies, and procedures for auditing AWS security infrastructure.
- Security Operations on AWS: This 3-day, classroom-based deep dive covers security features of key AWS services and AWS best practices for securing data and systems. You’ll learn about regulatory compliance standards and use cases for running regulated workloads on AWS. Hands-on practice with AWS security products and features will help you take your security operations to the next level.
via AWS Security Blog http://amzn.to/1hsnSJc
Previously, I mentioned that the re:Invent 2015 Security & Compliance track sessions had been announced, and I also discussed the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.
Today, I will highlight the remainder of the sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent 2015, you can add these sessions to your schedule now. If you won’t be attending re:Invent in person this year, keep in mind that all sessions will be available on YouTube (video) and SlideShare (slide decks) after the conference.
With AWS Config, you can discover what is being used on AWS, understand how resources are configured and how their configurations changed over time—all without disrupting end-user productivity on AWS. You can use this visibility to assess continuous compliance with best practices, and integrate with IT service management, configuration management, and other ITIL tools. In this session, AWS Senior Product Manager Prashant Prahlad will discuss:
- Mechanisms to aggregate this deep visibility to gain insights into your overall security and operational posture.
- Ways to leverage notifications from the service to stay informed, trigger workflows, or graph your infrastructure.
- Integrating AWS Config with ticketing and workflow tools to help you maintain compliance with internal practices or industry guidelines.
- Aggregating this data with other configuration management tools to move toward a single source of truth solution for configuration management.
This session is best suited for administrators and developers with a focus on audit, security, and compliance.
Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn from AWS Senior Product Manager Sivakanth Mundru how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.
We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files.
Do you want to analyze AWS CloudTrail events within minutes of them arriving in your Amazon S3 bucket? Would you like to learn how to run expressive queries over your CloudTrail logs? AWS Senior Security Engineer Will Kruse will demonstrate Apache Spark and Apache Spark Streaming as two tools to analyze recent and historical security logs for your accounts. To do so, we will use Amazon Elastic MapReduce (EMR), your logs stored in S3, and Amazon SNS to generate alerts. With these tools at your fingertips, you will be the first to know about security events that require your attention, and you will be able to quickly identify and evaluate the relevant security log entries.
In this session, AWS Operations Manager Jeff Lyon and AWS Software Development Manager Andrew Kiggins will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:
- DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
- What AWS does to protect our services from these attacks.
- How this all relates to the AWS Shared Responsibility Model.
Have you prepared your AWS environment for detecting and managing security-related events? Do you have all the incident response training and tools you need to rapidly respond to, recover from, and determine the root cause of security events in the cloud? Even if you have a team of incident response rock stars with an arsenal of automated data acquisition and computer forensics capabilities, there is likely a thing or two you will learn from several step-by-step demonstrations of wrangling various potential security events within an AWS environment, from detection to response to recovery to investigating root cause. At a minimum, show up to find out who to call and what to expect when you need assistance with applying your existing, already awesome incident response runbook to your AWS environment. Presenters are AWS Principal Security Engineer Don “Beetle” Bailey and AWS Senior Security Consultant Josh Du Lac.
Using Security Incident Response Simulations (SIRS—also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, AWS Senior Technical Program Manager Jonathan Miller and AWS Global Security Architect Armando Leite will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.
Protecting sensitive data in the cloud typically requires encryption. Managing the keys used for encryption can be challenging as your sensitive data passes between services and applications. AWS offers several options for using encryption and managing keys to help simplify the protection of your data at rest. In this session, AWS Principal Product Manager Ken Beer and Adobe Systems Principal Scientist Frank Wiebe will help you understand which features are available and how to use them, with emphasis on AWS Key Management Service and AWS CloudHSM. Adobe Systems Incorporated will present their experience using AWS encryption services to solve data security needs.
One of the biggest challenges in writing code that manages encrypted data is developing a secure model for obtaining keys and rotating them when an administrator leaves. AWS Key Management Service (KMS) changes the equation by offering key management as a service, enabling a number of security improvements over conventional key storage methods. Okta Senior Software Architect Jon Todd will show how Okta uses the KMS API to secure a multi-region system serving thousands of customers. This talk is oriented toward developers looking to secure their applications and simplify key management.
Security must be at the forefront for any online business. At AWS, security is priority number one. AWS Vice President and Chief Information Security Officer Stephen Schmidt will share his insights into cloud security and how AWS meets customers' demanding security and compliance requirements—and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, will share an industry perspective that's unique and invaluable for today's IT decision makers.
Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.
In this session, Sumo Logic VP of Security/CISO Joan Pepin will cover:
- Key market drivers and advantages for leveraging cloud architectures.
- Foundational design principles to guide strategy for securely leveraging the cloud.
- The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
- Real-world customer insights from organizations who have successfully adopted the "Defense in Depth" approach.
Session sponsored by Sumo Logic.
Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.
Who should attend: InfoSec and IT management. Session sponsored by Alert Logic.
This session will tell the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, AWS Principal Consultant Hart Rossman and AWS Principal Security Solutions Architect Bill Shinn will share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
CSC Director of Global Cloud Portfolio Kyle Falkenhagen will demonstrate enterprise policy, governance, and security products to deploy and manage enterprise and industry applications AWS. CSC will demonstrate automated provisioning and management of big data platforms and industry specific enterprise applications with automatically provisioned secure network connectivity from the datacenter to AWS over layer 2 routed AT&T Netbond (provides AWS DirectConnect access) connection. CSC will also demonstrate how applications blueprinted on CSC's Agility Platform can be re-hosted on AWS in minutes or re-instantiated across multiple AWS regions. CSC will also demonstrate how CSC can provide agile and consumption-based endpoint security for workloads in any cloud or virtual infrastructure, providing enterprise management and 24x7 monitoring of workload compliance, vulnerabilities, and potential threats.
Session sponsored by CSC.
Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented "Enterprise Cloud Security via DevSecOps" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.
We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit DevSecOps Leader Shannon Lietz and AWS Senior Security Consultant Matt Bretan to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps.
The cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, autoscaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. And AWS provides powerful tools that enable users to confidently overcome these challenges.
In this session, CloudCheckr Founder and CTO Aaron Newman will discuss leveraging native AWS tools as he covers topics including:
- Minimizing attack vectors and surface area.
- Conducting perimeter assessments of your virtual private clouds (VPCs).
- Identifying internal vs. external threats.
- Monitoring threats.
- Reevaluating intrusion detection, activity monitoring, and vulnerability assessment in AWS.
Session sponsored by CloudCheckr.
via AWS Security Blog http://amzn.to/1hsnSIZ
If you are attending re:Invent 2015 in Las Vegas this week, you can attend any of the following Security & Compliance track sessions taking place today.
Didn't register before the conference sold out? All sessions are being recorded and will be made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.
Click any of the following links to learn more about a breakout session.
- SEC304: Architecting for HIPAA Compliance on AWS
- SEC312: Reliable Design and Deployment of Security and Compliance
Identity and Access Management
- SEC201: AWS Security State of the Union
- SEC303: Architecting for End-to-End Security in the Enterprise
- SEC323: NEW LAUNCH! Securing Web Applications with AWS WAF
via AWS Security Blog http://amzn.to/1jQrBSG
New Security Services Launched at AWS re:Invent 2015—Amazon Inspector, AWS WAF, and AWS Config Rules
Today at re:Invent, AWS announced two new security services and one new feature to help you improve your security posture and protect applications deployed on AWS.
Amazon Inspector is an automated security assessment service that helps minimize the likelihood of introducing security or compliance issues when deploying applications on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.
To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security compliance standards (such as PCI DSS) and vulnerability definitions. Examples include enabling remote root login, or including vulnerable software versions. These rules are regularly updated by AWS security researchers.
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over your web applications by defining customizable web security rules.
You can use AWS WAF to block common attack patterns, such as SQL injection or cross-site scripting, and create custom rules specific to your applications. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a fully featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
AWS Config Rules is a feature of AWS Config, and is a new set of cloud governance capabilities that allow IT administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of prebuilt rules based on common AWS best practices or custom rules that you define. For example, you can ensure Amazon EBS volumes are encrypted, Amazon EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. Config Rules can continuously monitor your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT administrator can quickly determine when and how a resource went out of compliance.
These new services and new feature will make it significantly easier for you to assess your applications’ security, keep track of deviations from best practice, and protect your applications throughout the development lifecycle.
via AWS Security Blog http://amzn.to/1FZrXjw
via Mozilla Hacks - the Web developer blog http://mzl.la/1j9A3LX
via Les derniers documents du CERT-FR. http://bit.ly/1OmoiO1
via Les derniers documents du CERT-FR. http://bit.ly/1Mf4XtS
mercredi 7 octobre 2015
via Global Security Mag Online http://bit.ly/1jOtwqL
via Ars Technica » Risk Assessment http://bit.ly/1L6dK1h
via Ars Technica » Risk Assessment http://bit.ly/1VDygjS
via Ars Technica » Risk Assessment http://bit.ly/1LykgmX
via Ars Technica » Risk Assessment http://bit.ly/1OlDfl7
via The Hacker News http://bit.ly/1j7D8vW
via AWS Official Blog http://amzn.to/1LxR3IP
dimanche 4 octobre 2015
via AppSec Street Fighter - SANS Institute http://bit.ly/1YZRNdB