Tag security
Hardcoded secrets, unverified tokens, and other common JWT mistakes
Recommended read: Hardcoded secrets, unverified tokens, and other common JWT mistakes https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
The Impending Doom of Expiring Root CAs and Legacy Clients
Recommended read: The Impending Doom of Expiring Root CAs and Legacy Clients https://scotthelme.co.uk/impending-doom-root-ca-expiring-legacy-clients/
The Real Cause of the Sign In with Apple Zero-Day • Aaron Parecki
Recommended read: The Real Cause of the Sign In with Apple Zero-Day • Aaron Parecki https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
Let’s settle the password vs. passphrase debate once and for all
Recommended read: Let’s settle the password vs. passphrase debate once and for all https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/
JSON Web Token Validation Bypass in Auth0 Authentication API
Recommended read: JSON Web Token Validation Bypass in Auth0 Authentication API https://insomniasec.com/blog/auth0-jwt-validation-bypass
Tomcat May Log Cookies Out-of-the-Box (3 mins read).
Warning you about cookies being logged out-of-the-box, and how to resolve it.
Recommended read: FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more https://www.theregister.co.uk/2020/03/06/virgin_more_leak_details/
HTML attributes to improve your users' two factor authentication experience
Recommended read: HTML attributes to improve your users' two factor authentication experience https://www.twilio.com/blog/html-attributes-two-factor-authentication-autocomplete
systemd service sandboxing and security hardening 101
Recommended read: systemd service sandboxing and security hardening 101 https://www.ctrl.blog/entry/systemd-service-hardening.html
Patch Windows 10 and Server now because certificate validation is broken
Recommended read: Patch Windows 10 and Server now because certificate validation is broken https://arstechnica.com/information-technology/2020/01/patch-windows-10-and-server-now-because-certificate-validation-is-broken/
When MFA isn't necessarily strong
Recommended read: When MFA isn't necessarily strong https://www.sweharris.org/post/2019-06-09-softtoken/
Wifi deauthentication attacks and home security
Recommended read: Wifi deauthentication attacks and home security https://mjg59.dreamwidth.org/53968.html
49% of workers, when forced to update their password, reuse the same one with just a minor change
Recommended read: 49% of workers, when forced to update their password, reuse the same one with just a minor change https://www.grahamcluley.com/49-of-workers-when-forced-to-update-their-password-reuse-the-same-one-with-just-a-minor-change/
Binary Planting with the npm CLI
Recommended read: Binary Planting with the npm CLI https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Thames Water don't get password security
Recommended read: Thames Water don't get password security https://shkspr.mobi/blog/2019/12/thames-water-dont-get-password-security/
Public SSH keys can leak your private infrastructure
An interesting look at how using one key for everything (SSH to servers, SSH for git hosting, etc) can be a Bad Thing™
Recommended read: Public SSH keys can leak your private infrastructure https://rushter.com/blog/public-ssh-keys/
Hacking JSON Web Tokens (JWTs)
Recommended read: Hacking JSON Web Tokens (JWTs) https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
Preventing The Capital One Breach
Recommended read: Preventing The Capital One Breach https://ejj.io/blog/capital-one
Report: We Tested 5 Popular Web Hosting Companies & All Were Easily Hacked
Recommended read: Report: We Tested 5 Popular Web Hosting Companies & All Were Easily Hacked https://www.websiteplanet.com/blog/report-popular-hosting-hacked/
Piping Data When Not Running a Command with sudo
(1 mins read).
How to (more) safely pipe stdin
to an elevated command with sudo tee
.
Dockle: Container Image Linter for Security
Recommended read: Dockle: Container Image Linter for Security https://github.com/goodwithtech/dockle
We built network isolation for 1,500 services to make Monzo more secure
Recommended read: We built network isolation for 1,500 services to make Monzo more secure https://monzo.com/blog/we-built-network-isolation-for-1-500-services/
Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer
Recommended read: Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer https://www.theregister.co.uk/2019/10/29/intel_disable_hyper_threading_linux_kernel_maintainer/
Without encryption, we will lose all privacy. This is our new battleground
Recommended read: Without encryption, we will lose all privacy. This is our new battleground https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook
Recommended read: Yubikeys for SSH Auth https://www.engineerbetter.com/blog/yubikey-ssh/
Recommended read: Stupid UNIX Tricks https://sneak.berlin/20191011/stupid-unix-tricks/
DevOpsDays London 2019 (63 mins read).
A writeup of the DevOpsDays London conference, and the talks and Open Spaces I attended.
How our security team handle secrets
This is a really interesting post to hear how some other folks in a similar environment to us manage their secrets.
It's always cool to see how other folks are doing similar things, anyway, and as usual, Monzo have a great blog post.
Recommended read: How our security team handle secrets https://monzo.com/blog/2019/10/11/how-our-security-team-handle-secrets/
Software Security Field Guide for the Bewildered
Recommended read: Software Security Field Guide for the Bewildered https://zwischenzugs.com/2019/09/22/software-security-field-guide-for-the-bewildered/
This is a really interesting article about the flaws in PGP - I don't have enough security backing and understanding to argue it, but it sounds legitimate. It's a surprise this isn't being talked about more if it is as bad as it is
Recommended read: The PGP Problem https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
Thoughtbot's Application Security Guide
I found this when listening to episode 194 of the Bike Shed podcast: My PGP Shame. I'd only added this episode to my playlist as it was an interesting title, but listening to it, it was even better than I thought.
There was some great stuff in there about Thoughtbot's application security guide, linked, which is a definite must-read.
My favourite quote of the episode, though, is the following exchange:
I've got to be honest, how does anything work at all? Oh computers don't work
Recommended read: Thoughtbot's Application Security Guide https://github.com/thoughtbot/guides/blob/master/security/application.md
Cyber Nottingham May (5 mins read).
A writeup of the Cyber Nottingham meetup in May.
This is a great writeup about how to harden your SSH setup using 2-factor authentication. Would really recommend it!
Recommended read: Hardening SSH with 2fa https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820