dimanche 31 janvier 2016

"HTTP Verb Tampering in ASP.NET"

We're only a few days into 2016, and it didn't take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly function. Clever attackers can exploit … Continue reading HTTP Verb Tampering in ASP.NET

via AppSec Street Fighter - SANS Institute http://bit.ly/1P5e2HH

jeudi 28 janvier 2016

DenyAll renforce ses pare-feux applicatifs Web avec un service de réputation IP basé sur Webroot

DenyAll, l 'éditeur de sécurité applicative de nouvelle génération annonce un service de réputation IP optionnel pour ses pare feux applicatif s Web (WAF) , fondé sur la plateforme Webroot ® Threat Intelligence. Avec ce nouveau service, l es abonnés peuvent alimenter les moteurs de sécurité de leur WAF avec un flux de données de réputation IP à jour pour mettre en œuvre des stratégies de réponse adaptées . Le FIC, forum annuel de la cybersécurité a lieu (...) - Produits

via Global Security Mag Online http://bit.ly/1PlKrNH

20 vulnérabilités dont deux critiques corrigées dans Magento



via Actualités securite http://bit.ly/1UtIr61

Oracle Pushes Java Fix: Patch It or Pitch It

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you're not sure why you have Java installed, it's high time to remove the program once and for all.

via Krebs on Security http://bit.ly/1Sm4rAM

Google Security Rewards - 2015 Year in Review



via Google Online Security Blog http://bit.ly/1QvLKbK

5 Hackers Who Changed the World

Hacking, a term used so harshly throughout society today to illustrate computer crime and nefarious individuals, but what if some of the world’s most profound technology leaders today got their start by hacking? Well shocking enough that’s the case for more than a handful of geniuses who have risen in the past few decades, changing [...]

Source: 5 Hackers Who Changed the World appeared first on Freedom Hacker the number one source for hacking news, security news & everything cyber.



via Freedom Hacker http://bit.ly/1Sm4pc5

mercredi 27 janvier 2016

Program Languages That Generate Most Software Security Bugs - Hack Read


Program Languages That Generate Most Software Security Bugs
Hack Read
These languages fared worst in the Veracode analysed as well as OWASP tests, revealing that they have the most security bugs of all other languages. With more than 70% of content management is done using systems like Drupal, Joomla, and WordPress, ...



via #owasp - Google News http://bit.ly/1PE4WXP

Node.js: Tales From the bcrypt - DZone News


DZone News

Node.js: Tales From the bcrypt
DZone News
... would agree that bcrypt is considered a best practice for storing passwords in most cases (discussing scrypt and the like is outside of the scope of this article). (Side note: For an excellent summary on password storage, check out OWASP's cheat ...

and more »


via #owasp - Google News http://bit.ly/1WNPR5G

Supermarket patches its web security…how safe are *your* web forms? - Naked Security


Naked Security

Supermarket patches its web security…how safe are *your* web forms?
Naked Security
... amongst the most common sort of web programming mistakes, namely XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery). If you're a techie, you can read up on these issues – and how to keep them under control – on the OWASP website.

and more »


via #owasp - Google News http://bit.ly/1WNPSqa

La professionnalisation de l’expertise judiciaire



via Zythom http://bit.ly/1PjnRW3

Recommandations pour une utilisation sécurisée de Zed!

Zed est un outil de chiffrement édité par la société Prim’X. Il permet de protéger des fichiers au sein de conteneurs à des fins d’archivage, d’échange par courriel sur des réseaux publics (Internet) ou par support physique (clé USB). La version 4.0 build 820 de Zed a été qualifiée par l’ANSSI le 17 août 2010 […]

via Agence nationale de la sécurité des systèmes d'information http://bit.ly/1SJXHxR

Coaching en Sécurité Applicative http://bit.ly/20st5lU #appsecfr #appsec #lk


from Twitter https://twitter.com/SPoint

January 27, 2016 at 03:27PM
via IFTTT

lundi 25 janvier 2016

FIC 2016 : Orange veut installer un second cyber SOC à Lille



via Actualités securite http://bit.ly/1Pxm2QX

Published update to my Practical Git and GitHub book



via Dinis Cruz Blog http://bit.ly/1Nv4hAz

As easy as 123456: the 25 worst passwords revealed

If your password appears on this list, you should probably change it right away

Good news! People are still astonishingly bad at picking secure passwords, and if you run your fingers across the top row of your keyboard, you will probably type seven of the 15 most-used passwords at once.

When we say “good news”, we mean “good news for people who want to break into password-protected accounts”, of course. If you are one of the people with a bad password, that is very bad news indeed.

Continue reading...

via Data and computer security | The Guardian http://bit.ly/23nUmZc

HPE Security Research OSINT (OpenSource Intelligence) articles of interest – January 22, 2016

HPE-OSINT_logo.pngWelcome to the January 22nd edition of the HPE Security Research OSINT articles of interest. This is a list of publically available articles that we find relevant in today's security news.



via Security Research articles http://bit.ly/1nJPnkY

jeudi 21 janvier 2016

Une majorité de terminaux Android utilisent une version dépassée de l'OS

Près d’un tiers des terminaux Android en entreprise utilisent aujourd’hui une version 4.0 ou plus ancienne du système d’exploitation mobile de Google.

via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1RBqB3c

Trustwave poursuivi par un client mécontent

Le groupe hôtelier Affinity Gaming vient d’assigner Trustwave en justice, lui reprochant de ne pas avoir complètement rempli la mission qui lui avait été confiée à la suite d’un incident de sécurité.

via LeMagIT: ContentSyndication RSS Feed http://bit.ly/1PH24ni

Actualité : Nouveau Règlement vie privée : la réutilisation de données sera-t-elle encore possible ? (07/01/2016)

Tout praticien de la protection des données personnelles a déjà été confronté au problème du changement de finalité d'utilisation des données. ...

via Les dernières nouvelles du Droit et Nouvelles Technologies http://bit.ly/1JkBbsD

Des ransomwares en pagaille au ministère des Transports



via Actualités securite http://bit.ly/1JkqOoL

San Francisco a connu son 1er accident de voiture autonome



via Actualités securite http://bit.ly/1PqJpM8

Oracle patches 248 bugs

Oracle released an update to patch 248 vulnerabilities found in over 50 product lines, including Oracle Database, Java SE, and Oracle E-Business Suite, and other products.

via Latest articles from SC Magazine http://bit.ly/1JkqPcl

2015 Cyber Attacks Statistics

I have received many requests to publish a comparison of the aggregated statistics between 2014 and 2015 derived from the

via HACKMAGEDDON http://bit.ly/1PqGH9s

Nouvel enjeu de sécurité pour les entreprises et leurs données : les montres connectées

Lorsque ma femme m'a offert une monte connectée en mars dernier, j'étais ravi. En tant que geek, la montre connectée représentait tout ce qu'il y a de plus cool, mais étant également un professionnel de la sécurité, j'y voyais également un tout autre intérêt : celui des implications sécuritaires dans un scenario BYOD en entreprise. Est-ce une nouvelle façon de permettre aux utilisateurs d'accéder aux données d'entreprise ? Est-il possible de bloquer ces dispositifs ? Et quelles autres implications n'ai-je (...) - Points de Vue

via Global Security Mag Online http://bit.ly/1RVfFxH

L'UTT lance un nouveau mastère spécialisé « Expert forensic et cybersécurité »

L'université de Technologie de Troyes (UTT) lance un nouveau mastère spécialisé « Expert forensic et cybersécurité », qui vient d'être accrédité par la CGE et qui sera présenté par l'UTT lors de la prochaine édition du FIC. Trois programmes de formations initiale et continue sont déjà développés à l'UTT : une Licence Professionnelle « Enquêteur en Technologies Numériques », un Diplôme Universitaire « Recherche de Preuves Numériques », un Master « Sécurité des Systèmes d'Information » et des formations continues (...) - Formations des Instituts privés

via Global Security Mag Online http://bit.ly/1VaFYNQ

Si vous ne devez faire qu'une mise à jour cette semaine, choisissez celle d'Adobe Flash®

Secunia Research, filiale de Flexera Software, fournisseur leader de renseignements sur les vulnérabilités logicielles, annonce la publication de 14 Rapports nationaux sur la cybersécurité pour le quatrième trimestre 2015. Ces rapports fournissent un état des lieux des logiciels vulnérables installés sur les ordinateurs privés dans les pays concernés. Ils établissent également un classement de ces applications vulnérables en fonction du degré d'exposition au piratage de ces ordinateurs. Principales (...) - Malwares

via Global Security Mag Online http://bit.ly/1ZOxKBJ

YesWeHack lance la 1ère plateforme européenne de Bug Bounty : BountyFactory.io

YesWeHack lance la première plateforme européenne de Bug Bounty : BountyFactory.io. BountyFactory.io est un moyen accessible de sécuriser les plateformes (sites, applications etc.). Les Bug Bounties offrent la possibilité aux sociétés d'externaliser la recherche de vulnérabilités en collectant un nombre significatif de failles de sécurité potentielles qui seront reproduites puis analysées. Cela permet l'amélioration du code pour parer aux nouveaux risques. Avec un bon programme de Bug Bounty, une (...) - Produits

via Global Security Mag Online http://bit.ly/1UdJg2J

mardi 5 janvier 2016

The Most Popular AWS Security Blog Posts in 2015

The following 20 posts are the most popular posts that were published in 2015 on the AWS Security Blog. You can use this list as a guide to do some catchup reading or even read a post again that you found particularly valuable.  

  1. Introducing s2n, a New Open Source TLS Implementation
  2. Customer Update—AWS and EU Safe Harbor
  3. How to Connect Your On-Premises Active Directory to AWS Using AD Connector
  4. How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
  5. Privacy and Data Security
  6. Enable a New Feature in the AWS Management Console: Cross-Account Access
  7. PCI Compliance in the AWS Cloud
  8. How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
  9. How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
  10. How to Receive Alerts When Your IAM Configuration Changes
  11. How to Receive Notifications When Your AWS Account's Root Access Keys Are Used
  12. How to Receive Alerts When Specific APIs Are Called by Using AWS CloudTrail, Amazon SNS, and AWS Lambda
  13. New in IAM: Quickly Identify When an Access Key Was Last Used
  14. 2015 AWS PCI Compliance Package Now Available
  15. An Easier Way to Manage Your Policies
  16. New Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth
  17. New SOC 1, 2, and 3 Reports Available -- Including a New Region and Service In-Scope
  18. How to Create a Limited IAM Administrator by Using Managed Policies
  19. How to Delegate Management of Multi-Factor Authentication to AWS IAM Users
  20. Now Available: Videos and Slide Decks from the re:Invent 2015 Security and Compliance Track

Also, the following 20 posts are the most popular AWS Security Blog posts since its inception in April 2013. Some of these posts have been readers' favorites year after year.

  1. Introducing s2n, a New Open Source TLS Implementation
  2. Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
  3. Where's My Secret Access Key?
  4. Securely connect to Linux instances running in a private Amazon VPC
  5. Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0
  6. A New and Standardized Way to Manage Credentials in the AWS SDKs
  7. IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
  8. Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
  9. Demystifying EC2 Resource-Level Permissions
  10. Resource-Level Permissions for EC2--Controlling Management Access on Specific Instances
  11. Controlling Network Access to EC2 Instances Using a Bastion Server
  12. Customer Update—AWS and EU Safe Harbor
  13. Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission)
  14. How Do I Protect Cross-Account Access Using MFA?
  15. Building an App Using Amazon Cognito and an OpenID Connect Identity Provider
  16. A safer way to distribute AWS credentials to EC2
  17. How to Connect Your On-Premises Active Directory to AWS Using AD Connector
  18. How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
  19. Privacy and Data Security
  20. How to Enable Cross-Account Access to the AWS Management Console

We thank you for visiting the AWS Security Blog in 2015 and hope you'll return again regularly in 2016. Let us know in the comments section below if there is a specific security or compliance topic you would like us to cover in the new year. 

- Craig



via AWS Security Blog http://amzn.to/1my16D8

lundi 4 janvier 2016

vendredi 1 janvier 2016

A Perspective on the Next Big Data Breach

By Kevin Beaver, Guest Blogger, Lancope In looking at the headlines and breach databases, there haven’t been any spectacular, high-visibility incidents in recent weeks. It’s almost as if the criminals are lurking in the weeds, waiting to launch their next attack during the busy, upcoming holiday season. After all, the media tends to sensationalize such breaches […]

The post A Perspective on the Next Big Data Breach appeared first on Cloud Security Alliance Blog.



via Cloud Security Alliance Blog http://bit.ly/1TuexhH

191 million US voters' data exposed online in database mishap

Personal data and non-public information on almost 60 percent of US citizens was available online because of a misconfigured database.










via ZDNet | Zero Day RSS http://bit.ly/1PByTGx

HTTP Methods

Much of the internet operates on HTTP, Hyper Text Transfer Protocol. With HTTP, the user sends a request and the server replies with its response. These requests are like the pneumatic tubes at the bank — a delivery system for the ultimate content. A user clicks a link; a request is sent to the server; […]

via WhiteHat Security Blog http://bit.ly/1TuewtX

2016 Reality: Lazy Authentication Still the Norm

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

via Krebs on Security http://bit.ly/1Vv29z6
//Activation syntaxhilight