We're only a few days into 2016, and it didn't take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly function. Clever attackers can exploit … Continue reading HTTP Verb Tampering in ASP.NET
via AppSec Street Fighter - SANS Institute http://bit.ly/1P5e2HH
dimanche 31 janvier 2016
vendredi 29 janvier 2016
jeudi 28 janvier 2016
DenyAll renforce ses pare-feux applicatifs Web avec un service de réputation IP basé sur Webroot
DenyAll, l 'éditeur de sécurité applicative de nouvelle génération annonce un service de réputation IP optionnel pour ses pare feux applicatif s Web (WAF) , fondé sur la plateforme Webroot ® Threat Intelligence. Avec ce nouveau service, l es abonnés peuvent alimenter les moteurs de sécurité de leur WAF avec un flux de données de réputation IP à jour pour mettre en œuvre des stratégies de réponse adaptées . Le FIC, forum annuel de la cybersécurité a lieu (...) - Produits
via Global Security Mag Online http://bit.ly/1PlKrNH
via Global Security Mag Online http://bit.ly/1PlKrNH
20 vulnérabilités dont deux critiques corrigées dans Magento
via Actualités securite http://bit.ly/1UtIr61
Oracle Pushes Java Fix: Patch It or Pitch It
Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you're not sure why you have Java installed, it's high time to remove the program once and for all.
via Krebs on Security http://bit.ly/1Sm4rAM
via Krebs on Security http://bit.ly/1Sm4rAM
5 Hackers Who Changed the World
Hacking, a term used so harshly throughout society today to illustrate computer crime and nefarious individuals, but what if some of the world’s most profound technology leaders today got their start by hacking? Well shocking enough that’s the case for more than a handful of geniuses who have risen in the past few decades, changing [...]
Source: 5 Hackers Who Changed the World appeared first on Freedom Hacker the number one source for hacking news, security news & everything cyber.
via Freedom Hacker http://bit.ly/1Sm4pc5
mercredi 27 janvier 2016
Program Languages That Generate Most Software Security Bugs - Hack Read
Program Languages That Generate Most Software Security Bugs
Hack Read These languages fared worst in the Veracode analysed as well as OWASP tests, revealing that they have the most security bugs of all other languages. With more than 70% of content management is done using systems like Drupal, Joomla, and WordPress, ... |
via #owasp - Google News http://bit.ly/1PE4WXP
Node.js: Tales From the bcrypt - DZone News
DZone News |
Node.js: Tales From the bcrypt
DZone News ... would agree that bcrypt is considered a best practice for storing passwords in most cases (discussing scrypt and the like is outside of the scope of this article). (Side note: For an excellent summary on password storage, check out OWASP's cheat ... and more » |
via #owasp - Google News http://bit.ly/1WNPR5G
Supermarket patches its web security…how safe are *your* web forms? - Naked Security
Naked Security |
Supermarket patches its web security…how safe are *your* web forms?
Naked Security ... amongst the most common sort of web programming mistakes, namely XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery). If you're a techie, you can read up on these issues – and how to keep them under control – on the OWASP website. and more » |
via #owasp - Google News http://bit.ly/1WNPSqa
Recommandations pour une utilisation sécurisée de Zed!
Zed est un outil de chiffrement édité par la société Prim’X. Il permet de protéger des fichiers au sein de conteneurs à des fins d’archivage, d’échange par courriel sur des réseaux publics (Internet) ou par support physique (clé USB). La version 4.0 build 820 de Zed a été qualifiée par l’ANSSI le 17 août 2010 […]
via Agence nationale de la sécurité des systèmes d'information http://bit.ly/1SJXHxR
via Agence nationale de la sécurité des systèmes d'information http://bit.ly/1SJXHxR
Coaching en Sécurité Applicative http://bit.ly/20st5lU #appsecfr #appsec #lk
Coaching en Sécurité Applicative http://bit.ly/20st5lU #appsecfr #appsec #lk #blog
— Sebastien Gioria (@SPoint) January 27, 2016
from Twitter https://twitter.com/SPoint
January 27, 2016 at 03:27PM
via IFTTT
mardi 26 janvier 2016
DOS on browser.....marrant :) http://bit.ly/200ZbIQ via @01net #appsecfr #appsec #javascript #owaspfr #owasp #lk
DOS on browser.....marrant :) http://bit.ly/200ZbIQ via @01net #appsecfr #appsec #javascript #owaspfr #owasp #lk #blog
— Sebastien Gioria (@SPoint) January 26, 2016
from Twitter https://twitter.com/SPoint
January 26, 2016 at 12:13PM
via IFTTT
lundi 25 janvier 2016
FIC 2016 : Orange veut installer un second cyber SOC à Lille
via Actualités securite http://bit.ly/1Pxm2QX
As easy as 123456: the 25 worst passwords revealed
If your password appears on this list, you should probably change it right away
Good news! People are still astonishingly bad at picking secure passwords, and if you run your fingers across the top row of your keyboard, you will probably type seven of the 15 most-used passwords at once.
When we say “good news”, we mean “good news for people who want to break into password-protected accounts”, of course. If you are one of the people with a bad password, that is very bad news indeed.
Continue reading...via Data and computer security | The Guardian http://bit.ly/23nUmZc
HPE Security Research OSINT (OpenSource Intelligence) articles of interest – January 22, 2016
Welcome to the January 22nd edition of the HPE Security Research OSINT articles of interest. This is a list of publically available articles that we find relevant in today's security news.
via Security Research articles http://bit.ly/1nJPnkY
jeudi 21 janvier 2016
Une majorité de terminaux Android utilisent une version dépassée de l'OS
Près d’un tiers des terminaux Android en entreprise utilisent aujourd’hui une version 4.0 ou plus ancienne du système d’exploitation mobile de Google.
via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1RBqB3c
via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1RBqB3c
Trustwave poursuivi par un client mécontent
Le groupe hôtelier Affinity Gaming vient d’assigner Trustwave en justice, lui reprochant de ne pas avoir complètement rempli la mission qui lui avait été confiée à la suite d’un incident de sécurité.
via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1PH24ni
via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1PH24ni
Actualité : Nouveau Règlement vie privée : la réutilisation de données sera-t-elle encore possible ? (07/01/2016)
Tout praticien de la protection des données personnelles a déjà été confronté au problème du changement de finalité d'utilisation des données. ...
via Les dernières nouvelles du Droit et Nouvelles Technologies http://bit.ly/1JkBbsD
via Les dernières nouvelles du Droit et Nouvelles Technologies http://bit.ly/1JkBbsD
Des ransomwares en pagaille au ministère des Transports
via Actualités securite http://bit.ly/1JkqOoL
San Francisco a connu son 1er accident de voiture autonome
via Actualités securite http://bit.ly/1PqJpM8
Oracle patches 248 bugs
Oracle released an update to patch 248 vulnerabilities found in over 50 product lines, including Oracle Database, Java SE, and Oracle E-Business Suite, and other products.
via Latest articles from SC Magazine http://bit.ly/1JkqPcl
via Latest articles from SC Magazine http://bit.ly/1JkqPcl
2015 Cyber Attacks Statistics
I have received many requests to publish a comparison of the aggregated statistics between 2014 and 2015 derived from the
via HACKMAGEDDON http://bit.ly/1PqGH9s
via HACKMAGEDDON http://bit.ly/1PqGH9s
Nouvel enjeu de sécurité pour les entreprises et leurs données : les montres connectées
Lorsque ma femme m'a offert une monte connectée en mars dernier, j'étais ravi. En tant que geek, la montre connectée représentait tout ce qu'il y a de plus cool, mais étant également un professionnel de la sécurité, j'y voyais également un tout autre intérêt : celui des implications sécuritaires dans un scenario BYOD en entreprise. Est-ce une nouvelle façon de permettre aux utilisateurs d'accéder aux données d'entreprise ? Est-il possible de bloquer ces dispositifs ? Et quelles autres implications n'ai-je (...) - Points de Vue
via Global Security Mag Online http://bit.ly/1RVfFxH
via Global Security Mag Online http://bit.ly/1RVfFxH
L'UTT lance un nouveau mastère spécialisé « Expert forensic et cybersécurité »
L'université de Technologie de Troyes (UTT) lance un nouveau mastère spécialisé « Expert forensic et cybersécurité », qui vient d'être accrédité par la CGE et qui sera présenté par l'UTT lors de la prochaine édition du FIC. Trois programmes de formations initiale et continue sont déjà développés à l'UTT : une Licence Professionnelle « Enquêteur en Technologies Numériques », un Diplôme Universitaire « Recherche de Preuves Numériques », un Master « Sécurité des Systèmes d'Information » et des formations continues (...) - Formations des Instituts privés
via Global Security Mag Online http://bit.ly/1VaFYNQ
via Global Security Mag Online http://bit.ly/1VaFYNQ
Si vous ne devez faire qu'une mise à jour cette semaine, choisissez celle d'Adobe Flash®
Secunia Research, filiale de Flexera Software, fournisseur leader de renseignements sur les vulnérabilités logicielles, annonce la publication de 14 Rapports nationaux sur la cybersécurité pour le quatrième trimestre 2015. Ces rapports fournissent un état des lieux des logiciels vulnérables installés sur les ordinateurs privés dans les pays concernés. Ils établissent également un classement de ces applications vulnérables en fonction du degré d'exposition au piratage de ces ordinateurs. Principales (...) - Malwares
via Global Security Mag Online http://bit.ly/1ZOxKBJ
via Global Security Mag Online http://bit.ly/1ZOxKBJ
YesWeHack lance la 1ère plateforme européenne de Bug Bounty : BountyFactory.io
YesWeHack lance la première plateforme européenne de Bug Bounty : BountyFactory.io. BountyFactory.io est un moyen accessible de sécuriser les plateformes (sites, applications etc.). Les Bug Bounties offrent la possibilité aux sociétés d'externaliser la recherche de vulnérabilités en collectant un nombre significatif de failles de sécurité potentielles qui seront reproduites puis analysées. Cela permet l'amélioration du code pour parer aux nouveaux risques. Avec un bon programme de Bug Bounty, une (...) - Produits
via Global Security Mag Online http://bit.ly/1UdJg2J
via Global Security Mag Online http://bit.ly/1UdJg2J
mardi 12 janvier 2016
Hum hum..... #trendmicro #vulnerability http://bit.ly/1SM7O4s #appsec #appsecfr #lk #security
Hum hum..... #trendmicro #vulnerability http://bit.ly/1SM7O4s #appsec #appsecfr #lk #blog #security
— Sebastien Gioria (@SPoint) January 12, 2016
from Twitter https://twitter.com/SPoint
January 12, 2016 at 03:52PM
via IFTTT
lundi 11 janvier 2016
Parsing #IOS Frequent Locations http://bit.ly/1ScVNFU #forensics #appsec #legal #lk
Parsing #IOS Frequent Locations http://bit.ly/1ScVNFU #forensics #appsec #legal #lk #blog
— Sebastien Gioria (@SPoint) January 11, 2016
from Twitter https://twitter.com/SPoint
January 11, 2016 at 11:24AM
via IFTTT
dimanche 10 janvier 2016
Retour sur la vulnérabilité Serialization de Java http://bit.ly/1N0SSIm #appsecfr #appsec #lk
Retour sur la vulnérabilité Serialization de Java http://bit.ly/1N0SSIm #appsecfr #appsec #lk #blog
— Sebastien Gioria (@SPoint) January 10, 2016
from Twitter https://twitter.com/SPoint
January 10, 2016 at 04:50PM
via IFTTT
Retour sur la vulnérabilité Serialization de Java http://bit.ly/1RDkWrL #appsec #appsecfr #lk #java #devoxx #securecoding #securite
Retour sur la vulnérabilité Serialization de Java http://bit.ly/1RDkWrL #appsec #appsecfr #lk #blog #java #devoxx #securecoding #securite
— Sebastien Gioria (@SPoint) January 10, 2016
from Twitter https://twitter.com/SPoint
January 10, 2016 at 04:35PM
via IFTTT
mardi 5 janvier 2016
The Most Popular AWS Security Blog Posts in 2015
The following 20 posts are the most popular posts that were published in 2015 on the AWS Security Blog. You can use this list as a guide to do some catchup reading or even read a post again that you found particularly valuable.
- Introducing s2n, a New Open Source TLS Implementation
- Customer Update—AWS and EU Safe Harbor
- How to Connect Your On-Premises Active Directory to AWS Using AD Connector
- How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
- Privacy and Data Security
- Enable a New Feature in the AWS Management Console: Cross-Account Access
- PCI Compliance in the AWS Cloud
- How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
- How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
- How to Receive Alerts When Your IAM Configuration Changes
- How to Receive Notifications When Your AWS Account's Root Access Keys Are Used
- How to Receive Alerts When Specific APIs Are Called by Using AWS CloudTrail, Amazon SNS, and AWS Lambda
- New in IAM: Quickly Identify When an Access Key Was Last Used
- 2015 AWS PCI Compliance Package Now Available
- An Easier Way to Manage Your Policies
- New Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth
- New SOC 1, 2, and 3 Reports Available -- Including a New Region and Service In-Scope
- How to Create a Limited IAM Administrator by Using Managed Policies
- How to Delegate Management of Multi-Factor Authentication to AWS IAM Users
- Now Available: Videos and Slide Decks from the re:Invent 2015 Security and Compliance Track
Also, the following 20 posts are the most popular AWS Security Blog posts since its inception in April 2013. Some of these posts have been readers' favorites year after year.
- Introducing s2n, a New Open Source TLS Implementation
- Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
- Where's My Secret Access Key?
- Securely connect to Linux instances running in a private Amazon VPC
- Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0
- A New and Standardized Way to Manage Credentials in the AWS SDKs
- IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
- Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
- Demystifying EC2 Resource-Level Permissions
- Resource-Level Permissions for EC2--Controlling Management Access on Specific Instances
- Controlling Network Access to EC2 Instances Using a Bastion Server
- Customer Update—AWS and EU Safe Harbor
- Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission)
- How Do I Protect Cross-Account Access Using MFA?
- Building an App Using Amazon Cognito and an OpenID Connect Identity Provider
- A safer way to distribute AWS credentials to EC2
- How to Connect Your On-Premises Active Directory to AWS Using AD Connector
- How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
- Privacy and Data Security
- How to Enable Cross-Account Access to the AWS Management Console
We thank you for visiting the AWS Security Blog in 2015 and hope you'll return again regularly in 2016. Let us know in the comments section below if there is a specific security or compliance topic you would like us to cover in the new year.
- Craig
via AWS Security Blog http://amzn.to/1my16D8
lundi 4 janvier 2016
OWASP Top10 - A quand la nouvelle version ? http://bit.ly/1OGlUyc #appsec #appsecfr #lk #owasp
OWASP Top10 - A quand la nouvelle version ? http://bit.ly/1OGlUyc #appsec #appsecfr #blog #lk #owasp
— Sebastien Gioria (@SPoint) January 4, 2016
from Twitter https://twitter.com/SPoint
January 04, 2016 at 03:51PM
via IFTTT
vendredi 1 janvier 2016
A Perspective on the Next Big Data Breach
By Kevin Beaver, Guest Blogger, Lancope In looking at the headlines and breach databases, there haven’t been any spectacular, high-visibility incidents in recent weeks. It’s almost as if the criminals are lurking in the weeds, waiting to launch their next attack during the busy, upcoming holiday season. After all, the media tends to sensationalize such breaches […]
The post A Perspective on the Next Big Data Breach appeared first on Cloud Security Alliance Blog.
via Cloud Security Alliance Blog http://bit.ly/1TuexhH
191 million US voters' data exposed online in database mishap
Personal data and non-public information on almost 60 percent of US citizens was available online because of a misconfigured database.
via ZDNet | Zero Day RSS http://bit.ly/1PByTGx
via ZDNet | Zero Day RSS http://bit.ly/1PByTGx
HTTP Methods
Much of the internet operates on HTTP, Hyper Text Transfer Protocol. With HTTP, the user sends a request and the server replies with its response. These requests are like the pneumatic tubes at the bank — a delivery system for the ultimate content. A user clicks a link; a request is sent to the server; […]
via WhiteHat Security Blog http://bit.ly/1TuewtX
via WhiteHat Security Blog http://bit.ly/1TuewtX
2016 Reality: Lazy Authentication Still the Norm
My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
via Krebs on Security http://bit.ly/1Vv29z6
via Krebs on Security http://bit.ly/1Vv29z6
Inscription à :
Articles (Atom)