appsecguy - Network

Another week goes, another newsletter is done.#appsec week 10 in summaryhttps://www.appsecguy.se/appsec-week-10-in-summary/

Another week goes, another newsletter is done.
#appsec week 10 in summary

https://www.appsecguy.se/appsec-week-10-in-summary/

#appsec week 9 in summary, Friday 3rd of March 2023 edition. https://www.appsecguy.se/appsec-week-9-in-summary/

#appsec week 9 in summary, Friday 3rd of March 2023 edition.

https://www.appsecguy.se/appsec-week-9-in-summary/

AppSec week 8 in Summary, Saturday 25th of February editionhttps://www.appsecguy.se/appsec-week-8-in-summary/#AppSec #newsletter

AppSec week 8 in Summary, Saturday 25th of February edition

https://www.appsecguy.se/appsec-week-8-in-summary/

#AppSec #newsletter

I wrote a small blog post about the DDoS attacks that targeted Swedish websites last week, focusing on how to protection applications on...

I wrote a small blog post about the DDoS attacks that targeted Swedish websites last week, focusing on how to protection applications on layer 7 and possible mitigations.

https://www.appsecguy.se/layer-7-denial-of-service-protection/

#DDoS #Sverige

Anonymous against Killnet

Anonymous against Killnet

The effects of the attack are limited and even on the affected websites important functionality is still working. However the attacks are...

The effects of the attack are limited and even on the affected websites important functionality is still working. However the attacks are not to be taken lightly.

Firstly, because of the potential of DDoS attacks against critical infrastructure, at a time the attacker picks. Attacks will happen when it hurts the most and they will target critical infrastructure, not public webpages only.

Secondly, because this is part of an attempt to hit the news, to get popularity and pass the terrorizing message that we are vulnerable. The sophistication of these attacks is quite limited and it is possible to get these as-a-service. Therefore, given the limited damage caused and the targets picked, this looks (at the moment) more of a terror cyberattack rather than something else.

Stay sharp. Plan defenses.

Several DDoS attacks against swedish websites during Sunday, by the so-called hacker group Sudan. They supposedly revenge the burning of...

Several DDoS attacks against swedish websites during Sunday, by the so-called hacker group Sudan. They supposedly revenge the burning of quran by a far-right extremist group, but there are suspicions that Russia is using this as an opportunity to attack.

Seems like a good timing to organize your DDoS defences?

#cybersecuritynews #cybersecurity

Telecom company ”Telenor” fined 12.5 million SEK for putting country security at risk by using 25 employees without background security...

Telecom company ”Telenor” fined 12.5 million SEK for putting country security at risk by using 25 employees without background security checks, even though it was required by law. PTS (Post- och telestyrelsen) which fined the company explained that the situation could be used by an external threat actor to attack sensitive operations.

#cybersecuritynews #telenor

Comment: 12.5 MSEK feels ridiculously low, though I am not aware if that is the maximum that could be fined

Source:svt.se

Interesting.. the list announced and reproduced by Marcus includes public healthcare hospitals and mentions #DDoS. Let’s see how this...

Interesting.. the list announced and reproduced by Marcus includes public healthcare hospitals and mentions #DDoS. Let’s see how this plays out.

Github was breached so here are some links to sources of further information The...

Github was breached so here are some links to sources of further information

The overview
https://thehackernews.com/2023/01/github-breach-hackers-stole-code.html?m=1

A slightly deeper analysis and discussion
https://nakedsecurity.sophos.com/2023/01/31/github-code-signing-certificates-stolen-but-will-be-revoked-this-week/amp/

Open source security podcast
https://opensourcesecurity.io/2023/02/05/episode-361-github-got-pwnt-but-it-wasnt-very-exciting/

#github #cybersecuritynews

A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel....

A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel.

https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html?m=1 #cybersecuritynews

https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-downloaded-excel-xll-add-ins-to-boost-security/ #microsoft...

https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-downloaded-excel-xll-add-ins-to-boost-security/ #microsoft #cybersecuritynews

Compliance is strange. Companies (hopefully willingly or even unwillingly) are spending a lot of resources to protect digital assets....

Compliance is strange. Companies (hopefully willingly or even unwillingly) are spending a lot of resources to protect digital assets. However, the same companies are allowed to mail an envelope containing the most sensitive information about you or your family.

Mail can get lost, be undelivered for whatever reason or even stolen. For example, before GDPR was in place, I got a paper mail containing someone else's loan arrangements and personal details. Yesterday, I got parts of the medical journal of a family member in PAPER in my post.

It is a short-sighted compliance hack and definitely an example of how regulators are struggling to keep up-to-date. I should AT LEAST have the choice to deny paper communication containing confidential information.

#compliance #gdpr #infosec

#cybersecurity #ransomware

#cybersecurity #ransomware

https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/ #okta #infosecnews

https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/ #okta #infosecnews

Today the #nytimes published the first commercial spyware tool sales proposal to be made...

Today the #nytimes published the first commercial spyware tool sales proposal to be made public.

https://www.nytimes.com/interactive/2022/12/08/us/politics/intellexa-commercial-proposal.html

Full story here: https://www.nytimes.com/2022/12/08/us/politics/spyware-nso-pegasus-paragon.html?smid=url-share

#spyware #pegasus #intellexa

#OWASP Stockholm held a presentation on #Github Advanced Security with help from Solidify at Microsoft reactor. You can find the recorded...

#OWASP Stockholm held a presentation on #Github Advanced Security with help from Solidify at Microsoft reactor.

You can find the recorded version here: https://youtu.be/9dOR1Y8g3h4

Topics covered include dependabot, secrets scanning, codeQL scanning and shifting left. Rich presentation full of content.

#appsec #cybersecurity

Apple adds hardware key support for icloud, extends range of data protected on icloud and introduces iMessage Contact Key Verification....

Apple adds hardware key support for icloud, extends range of data protected on icloud and introduces iMessage Contact Key Verification.

https://www.apple.com/newsroom/2022/12/apple-advances-user-security-with-powerful-new-data-protections/

#apple #security

Percentage of #infosec spending as a share of total IT spending for all industries in the EU. One graph can’t say it all but this is so...

Percentage of #infosec spending as a share of total IT spending for all industries in the EU. One graph can’t say it all but this is so interesting.. there is a huge difference in actual money between 5.8% in Sweden and 7.3% in Poland..but still it is an indicator of willingness to spend on people, training, licences etc so goddammit Sweden you’ve got to do better than that. Source: #enisa

Recruiter: We are looking for a superhero senior DevSecOps person with risk management experience who will do consulting for customers as...

Recruiter: We are looking for a superhero senior DevSecOps person with risk management experience who will do consulting for customers as well as internal work for our threat analysis firm. You will work 2-3 days from the office and we can negotiate the salary. 😀 Me: 😤 so you want a do-it-all person paid fairly with skills way above average and your priority is they come to the office regularly because that is your “culture” and you don’t care about their priorities or personal life. No