Difference between revisions of "Security"

From BC$ MobileTV Wiki
Jump to: navigation, search
 
(19 intermediate revisions by the same user not shown)
Line 66: Line 66:
  
 
* '''Common Vulnerability Scoring System (CVSS) v3.1 -- specification document: https://www.first.org/cvss/v3.1/specification-document | [https://www.first.org/cvss/v3.1/examples EXAMPLE]'''
 
* '''Common Vulnerability Scoring System (CVSS) v3.1 -- specification document: https://www.first.org/cvss/v3.1/specification-document | [https://www.first.org/cvss/v3.1/examples EXAMPLE]'''
 +
 +
=== MITRE ===
 +
 +
* MITRE: https://www.mitre.org/
 +
* [[wikipedia: Mitre Corporation]]
 +
<ref>Leveraging MITRE tools for effective Threat Informed Architecture: https://andrecamillo.medium.com/leveraging-mitre-tools-for-effective-threat-informed-archite-99f425567edd</ref>
 +
<ref>Container Security Threats Added to MITRE Attack Framework: https://containerjournal.com/features/container-security-threats-added-to-mitre-attack-framework/</ref>
 +
  
 
=== Jargon File ===
 
=== Jargon File ===
Line 90: Line 98:
 
<ref>Does Your Organization Have a Security.txt File?: https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/</ref>
 
<ref>Does Your Organization Have a Security.txt File?: https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/</ref>
 
<ref>Not Everything About ".well-known" is Well Known: https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/</ref>
 
<ref>Not Everything About ".well-known" is Well Known: https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/</ref>
 +
 +
=== InfoSec frameworks ===
 +
 +
<ref>7 Security Frameworks Every InfoSec Professional Should Know: https://medium.com/dark-roast-security/7-security-frameworks-every-infosec-professional-should-know-77a3c4fe2a2b</ref>
 +
 +
==== NIST ====
 +
 +
===== SP 800 =====
 +
 +
===== CSF =====
 +
 +
===== SP 1800 =====
 +
 +
==== ISO ====
 +
 +
===== 27000 series =====
 +
 +
Covered within ISO standards 27001 & 27002, among others, this framework was developed and continues to be maintained by the International Organization for Standardization (ISO) and focuses on providing requirements of creating an Information Security Management System (ISMS).
 +
Their framework sets out to provide a systematic approach to risk management by focusing on controls to protect people, processes, and technology.
 +
 +
==== COBIT ====
 +
 +
Control Objectives for Information Technology (COBIT).
  
  
Line 124: Line 155:
 
<ref>2022 Cyber Attack Statistics, Data, and Trends: https://parachute.cloud/2022-cyber-attack-statistics-data-and-trends/</ref>
 
<ref>2022 Cyber Attack Statistics, Data, and Trends: https://parachute.cloud/2022-cyber-attack-statistics-data-and-trends/</ref>
 
<ref>2022 Must-Know Cyber Attack Statistics and Trends: https://www.embroker.com/blog/cyber-attack-statistics/</ref>
 
<ref>2022 Must-Know Cyber Attack Statistics and Trends: https://www.embroker.com/blog/cyber-attack-statistics/</ref>
 +
<ref>New federal bill would compel key industries to bolster cyber security — or pay a price: https://www.cbc.ca/news/politics/cyberattacks-bill-1.6487826</ref>
 +
<ref>More than 90% of cyberattacks are made possible by human error: https://techxplore.com/news/2022-06-cyberattacks-human-error.html</ref>
  
 
==== Threat Assessment ====
 
==== Threat Assessment ====
Line 348: Line 381:
 
* Basic (Username:Password via HTTP Header)
 
* Basic (Username:Password via HTTP Header)
 
* Digest (Username + Password + nonce/configs, sent in HTTP POST header only, automatically encrypted when using SSL/TLS)
 
* Digest (Username + Password + nonce/configs, sent in HTTP POST header only, automatically encrypted when using SSL/TLS)
 +
 +
<ref>Something You Know, Have, or Are: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html</ref>
  
 
==== DIGEST ====
 
==== DIGEST ====
Line 450: Line 485:
 
===== Secret Management =====
 
===== Secret Management =====
  
* Hashicorp Vault (commercial/OSS): https://www.hashicorp.com/products/vault | [https://github.com/hashicorp/vault SRC]
+
* Hashicorp Vault (commercial/OSS): https://www.hashicorp.com/products/vault | [https://github.com/hashicorp/vault SRC] | [https://docs.hashicorp.com/sentinel DOCS] | [https://learn.hashicorp.com LEARNING]<ref>Login MFA Support Added to Vault Open Source and HCP Vault: https://www.hashicorp.com/blog/login-mfa-support-added-to-vault-open-source-and-hcp-vault</ref>
 
* Vaultier (OSS): http://www.vaultier.org/ | [http://www.vaultier.org/install/ SRC]
 
* Vaultier (OSS): http://www.vaultier.org/ | [http://www.vaultier.org/install/ SRC]
 
* Bitnami Labs - Sealed Secrets: https://engineering.bitnami.com/articles/sealed-secrets.html | [https://github.com/bitnami-labs/sealed-secrets SRC]
 
* Bitnami Labs - Sealed Secrets: https://engineering.bitnami.com/articles/sealed-secrets.html | [https://github.com/bitnami-labs/sealed-secrets SRC]
Line 489: Line 524:
 
<ref>Shifting Security Left -- The Innovation of DevSecOps: https://www.alldaydevops.com/blog/shifting-security-left-the-innovation-of-devsecops-1</ref>
 
<ref>Shifting Security Left -- The Innovation of DevSecOps: https://www.alldaydevops.com/blog/shifting-security-left-the-innovation-of-devsecops-1</ref>
 
<ref>US Executive Order on Cybersecurity -- Software Bill of Materials (SBOM) - What it Means for DevOps: https://jfrog.com/blog/us-executive-order-on-cybersecurity-what-it-means-for-devops/</ref>
 
<ref>US Executive Order on Cybersecurity -- Software Bill of Materials (SBOM) - What it Means for DevOps: https://jfrog.com/blog/us-executive-order-on-cybersecurity-what-it-means-for-devops/</ref>
 +
<ref>Secrets Detection on Pull Request… The DevSecOps Way: https://medium.com/@galsegal_85810/secrets-detection-on-pull-request-the-devsecops-way-8bbd9759a695</ref>
  
 
==== Dependency Vulnerability Checker ====
 
==== Dependency Vulnerability Checker ====
Line 603: Line 639:
 
* [[wikipedia: Runtime application self-protection]] (''RASP'')
 
* [[wikipedia: Runtime application self-protection]] (''RASP'')
 
<ref>SAST, DAST, IAST and RASP: https://www.imperva.com/learn/application-security/sast-iast-dast/</ref>
 
<ref>SAST, DAST, IAST and RASP: https://www.imperva.com/learn/application-security/sast-iast-dast/</ref>
 
  
 
=== PAC ===
 
=== PAC ===
Line 746: Line 781:
 
* '''Have-I-Been-Pwned?: https://haveibeenpwned.com/ | [https://github.com/haveibeenpwned SRC]'''<ref>Project Svalbard, Have I Been Pwned and its Ongoing Independen: https://www.troyhunt.com/project-svalbard-have-i-been-pwned-and-its-ongoing-independence/</ref><ref>I'm Open Sourcing the Have I Been Pwned Code Base: https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/</ref><ref>Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI: https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/</ref><ref>FBI to Share Compromised Passwords With Have I Been Pwned: https://www.govinfosecurity.com/fbi-to-share-compromised-passwords-have-i-been-pwned-a-16760</ref>
 
* '''Have-I-Been-Pwned?: https://haveibeenpwned.com/ | [https://github.com/haveibeenpwned SRC]'''<ref>Project Svalbard, Have I Been Pwned and its Ongoing Independen: https://www.troyhunt.com/project-svalbard-have-i-been-pwned-and-its-ongoing-independence/</ref><ref>I'm Open Sourcing the Have I Been Pwned Code Base: https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/</ref><ref>Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI: https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/</ref><ref>FBI to Share Compromised Passwords With Have I Been Pwned: https://www.govinfosecurity.com/fbi-to-share-compromised-passwords-have-i-been-pwned-a-16760</ref>
 
* UserSearch — username lookup (usage by site) tool: https://usersearch.org/
 
* UserSearch — username lookup (usage by site) tool: https://usersearch.org/
* Common Attack Pattern Enumeration and Classification (CAPEC) -- Hack/Exploit dictionary lookup: http://capec.mitre.org/()
+
* Common Attack Pattern Enumeration and Classification (CAPEC): http://capec.mitre.org/ (Hack/Exploit dictionary lookup)
 
* Security Testing Tools You Need To Know About: http://dzone.com/articles/security-testing-tools-you-need-to-know-about
 
* Security Testing Tools You Need To Know About: http://dzone.com/articles/security-testing-tools-you-need-to-know-about
 
* Audit Your Web Security with Acunetix Vulnerability Scanner: https://www.acunetix.com/vulnerability-scanner/
 
* Audit Your Web Security with Acunetix Vulnerability Scanner: https://www.acunetix.com/vulnerability-scanner/
Line 1,019: Line 1,054:
 
* Breach-level index: https://www.breachlevelindex.com/
 
* Breach-level index: https://www.breachlevelindex.com/
 
* '''World's Biggest Data Breaches (INTERACTIVE INFOGRAPHIC): http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/'''<ref>Cybersecurity in 2015 -- What to expect: http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/</ref>
 
* '''World's Biggest Data Breaches (INTERACTIVE INFOGRAPHIC): http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/'''<ref>Cybersecurity in 2015 -- What to expect: http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/</ref>
* SECURITIES AND EXCHANGE COMMISSION (SEC) -- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (2022-03-09): https://www.sec.gov/rules/proposed/2022/33-11038.pdf<ref>SEC proposes four-day rule for public companies to report cyberattacks: https://www.theregister.com/2022/03/09/sec_cyberattack_disclosure/</ref><ref>SEC proposes mandatory breach reporting for publicly traded companies: https://fcw.com/security/2022/03/sec-proposes-mandatory-breach-reporting-publicly-traded-companies/362975/</ref>
+
* SECURITIES AND EXCHANGE COMMISSION (SEC) -- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (2022-03-09): https://www.sec.gov/rules/proposed/2022/33-11038.pdf<ref>SEC proposes four-day rule for public companies to report cyberattacks: https://www.theregister.com/2022/03/09/sec_cyberattack_disclosure/</ref><ref>SEC proposes mandatory breach reporting for publicly traded companies: https://fcw.com/security/2022/03/sec-proposes-mandatory-breach-reporting-publicly-traded-companies/362975/</ref><ref>'''Demystify the Cybersecurity Risk Management Process: https://dzone.com/articles/demystify-the-cybersecurity-risk-management-proces'''</ref>
 
Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises: https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises<ref>Data Breach Notice Research by the Identity Theft Resource Center Shows Consumers Don’t Act After a Data Theft: https://www.idtheftcenter.org/post/data-breach-notice-research-by-the-identity-theft-resource-center-shows-consumers-dont-act-after-a-data-theft/</ref>
 
Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises: https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises<ref>Data Breach Notice Research by the Identity Theft Resource Center Shows Consumers Don’t Act After a Data Theft: https://www.idtheftcenter.org/post/data-breach-notice-research-by-the-identity-theft-resource-center-shows-consumers-dont-act-after-a-data-theft/</ref>
 
<ref>Data breaches in the US are over 90% cyberattack-related: https://techhq.com/2022/04/data-breaches-in-the-us-rose-14-in-the-first-quarter-of-this-year/</ref>
 
<ref>Data breaches in the US are over 90% cyberattack-related: https://techhq.com/2022/04/data-breaches-in-the-us-rose-14-in-the-first-quarter-of-this-year/</ref>
Line 1,061: Line 1,096:
 
* Air India says February’s data breach affected 4.5 mln passengers: https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/
 
* Air India says February’s data breach affected 4.5 mln passengers: https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/
 
* REPORT - how cybercriminals abuse API keys to steal millions (from CryptoCurrency Exchanges): https://cybernews.com/security/report-how-cybercriminals-abuse-api-keys-to-steal-millions/
 
* REPORT - how cybercriminals abuse API keys to steal millions (from CryptoCurrency Exchanges): https://cybernews.com/security/report-how-cybercriminals-abuse-api-keys-to-steal-millions/
* '''US Soldiers Expose Nuclear Weapons Secrets via "Flashcard/E-Learning Apps": https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/'''
+
* '''US Soldiers Expose Nuclear Weapons Secrets via "Flashcard/E-Learning Apps": https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/'''<ref>US nuclear weapon bunker security secrets spill from online flashcards since 2013: https://www.theregister.com/2021/05/28/flashcards_military_nuclear/</ref>
<ref>US nuclear weapon bunker security secrets spill from online flashcards since 2013: https://www.theregister.com/2021/05/28/flashcards_military_nuclear/</ref>
+
* Flaws in third-party software exposed dozens of Teslas to remote access: https://techcrunch.com/2022/01/24/teslamate-bug-teslas-exposed-remote/<ref>'''Smart API Security for Your Smart Car: https://curity.io/blog/smart-api-security-for-your-smart-car/'''</ref>
 
<ref>Hackers Breach EA, Claim to Have Stolen Company Source Code: https://www.pcmag.com/news/hackers-breach-ea-claim-to-have-stolen-company-source-code</ref>
 
<ref>Hackers Breach EA, Claim to Have Stolen Company Source Code: https://www.pcmag.com/news/hackers-breach-ea-claim-to-have-stolen-company-source-code</ref>
 
<ref>Tracking Amazon delivery staff through their own "Package Tracking API": https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staff/</ref>
 
<ref>Tracking Amazon delivery staff through their own "Package Tracking API": https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staff/</ref>
Line 1,083: Line 1,118:
 
<ref>Christian Donation site "GiveSendGo", used by Freedom Convoy, suffers 3rd data leak in two weeks: https://www.dailydot.com/debug/givesendgo-trucker-convoy-hack-leak/</ref>
 
<ref>Christian Donation site "GiveSendGo", used by Freedom Convoy, suffers 3rd data leak in two weeks: https://www.dailydot.com/debug/givesendgo-trucker-convoy-hack-leak/</ref>
 
<ref>Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments: https://www.mandiant.com/resources/apt41-us-state-governments</ref>
 
<ref>Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments: https://www.mandiant.com/resources/apt41-us-state-governments</ref>
 +
<ref>FBI warns of ransomware gangs targeting food, agriculture orgs: https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-gangs-targeting-food-agriculture-orgs/</ref>
 
<ref>FBI warns of ransomware attacks targeting US agriculture sector: https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-attacks-targeting-us-agriculture-sector/</ref>
 
<ref>FBI warns of ransomware attacks targeting US agriculture sector: https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-attacks-targeting-us-agriculture-sector/</ref>
 
<ref>Cow-counting app abused by China "to spy on US states' governments": https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/</ref>
 
<ref>Cow-counting app abused by China "to spy on US states' governments": https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/</ref>
 
<ref>Ransomware plows through farm machinery giant AGCO:https://www.theregister.com/2022/05/09/farm_machinery_giant_agco_hit/</ref>
 
<ref>Ransomware plows through farm machinery giant AGCO:https://www.theregister.com/2022/05/09/farm_machinery_giant_agco_hit/</ref>
 +
<ref>'''Protecting Android users from 0-Day attacks: https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/'''</ref>
 +
<ref>Researchers devise iPhone malware that runs even when device is turned off: https://arstechnica.com/information-technology/2022/05/researchers-devise-iphone-malware-that-runs-even-when-device-is-turned-off/</ref>
 +
<ref>Google - "Predator" spyware infected Android devices using zero-days (several governments potentially involved): https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/</ref>
 +
  
  
Line 1,092: Line 1,132:
 
* 9 Useful Tips For Linux Server Security: https://dzone.com/articles/9-useful-tips-for-linux-server-security
 
* 9 Useful Tips For Linux Server Security: https://dzone.com/articles/9-useful-tips-for-linux-server-security
 
* '''Salted Password Hashing - Doing it Right: https://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right'''
 
* '''Salted Password Hashing - Doing it Right: https://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right'''
 +
* Serious Form Security: https://css-tricks.com/serious-form-security/
 
* Understanding Hash Functions and Keeping Passwords Safe: http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/
 
* Understanding Hash Functions and Keeping Passwords Safe: http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/
 
* '''How To Safely Store A Password: https://codahale.com/how-to-safely-store-a-password/'''
 
* '''How To Safely Store A Password: https://codahale.com/how-to-safely-store-a-password/'''
 +
<ref>'''Password Authentication -- How to Correctly Do It: https://dzone.com/articles/password-authentication-how-to-do-it-correctly'''</ref>
 +
<ref>How to Hash a BLOB: http://sqlblog.com/blogs/michael_coles/archive/2009/04/16/13253.aspx</ref>
 +
<ref>'''Database Modeling Tip - How to Store Passwords in a Database with HASH + SALT: http://onewebsql.com/blog/how-to-store-passwords'''</ref>
 
<ref>A Future-Adaptable Password Scheme (WHITEPAPER): https://www.usenix.org/legacy/events/usenix99/provos.html</ref>
 
<ref>A Future-Adaptable Password Scheme (WHITEPAPER): https://www.usenix.org/legacy/events/usenix99/provos.html</ref>
 
  
 
* '''MD5 Hash Check Tutorial: http://www.hostknox.com/tutorials/miscellaneous/md5-hash-check'''
 
* '''MD5 Hash Check Tutorial: http://www.hostknox.com/tutorials/miscellaneous/md5-hash-check'''
Line 1,123: Line 1,166:
 
* Realistic password strength estimation: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
 
* Realistic password strength estimation: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
 
* Passwords vs. Pass Phrases: https://blog.codinghorror.com/passwords-vs-pass-phrases/
 
* Passwords vs. Pass Phrases: https://blog.codinghorror.com/passwords-vs-pass-phrases/
* '''Salted Password Hashing - Doing it Right: http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right'''
 
* How to Hash a BLOB: http://sqlblog.com/blogs/michael_coles/archive/2009/04/16/13253.aspx
 
* '''Database Modeling Tip - How to Store Passwords in a Database with HASH + SALT: http://onewebsql.com/blog/how-to-store-passwords'''
 
* Serious Form Security: https://css-tricks.com/serious-form-security/
 
  
 
* '''Secure your web application with these HTTP headers: https://medium.freecodecamp.org/secure-your-web-application-with-these-http-headers-fd66e0367628'''
 
* '''Secure your web application with these HTTP headers: https://medium.freecodecamp.org/secure-your-web-application-with-these-http-headers-fd66e0367628'''
Line 1,330: Line 1,369:
 
* AFP used controversial encryption laws in its 'most significant operation in policing history': https://www.zdnet.com/article/australias-encryption-laws-used-by-afp-in-countrys-most-significant-operation-in-policing-history/
 
* AFP used controversial encryption laws in its 'most significant operation in policing history': https://www.zdnet.com/article/australias-encryption-laws-used-by-afp-in-countrys-most-significant-operation-in-policing-history/
 
* Australian cops, FBI created backdoored "AN0M" chat app, told crims it was secure – then snooped on 9,000 users' plots: https://www.theregister.com/2021/06/08/operation_ironside_anom/
 
* Australian cops, FBI created backdoored "AN0M" chat app, told crims it was secure – then snooped on 9,000 users' plots: https://www.theregister.com/2021/06/08/operation_ironside_anom/
* Container Security Threats Added to MITRE Attack Framework: https://containerjournal.com/features/container-security-threats-added-to-mitre-attack-framework/
 
 
* Sequoia -- A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909): https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
 
* Sequoia -- A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909): https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
 
* Old Dogs, New Tricks - Attackers adopt exotic programming languages (for hacks, malware, ransomware, worms, etc): https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks
 
* Old Dogs, New Tricks - Attackers adopt exotic programming languages (for hacks, malware, ransomware, worms, etc): https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks
Line 1,353: Line 1,391:
 
* Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
 
* Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
 
* US Passes Law Requiring Better Cybercrime Data Collection: https://www.govinfosecurity.com/us-passes-law-requiring-better-cybercrime-data-collection-a-19028
 
* US Passes Law Requiring Better Cybercrime Data Collection: https://www.govinfosecurity.com/us-passes-law-requiring-better-cybercrime-data-collection-a-19028
 +
* United States Government (USG), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) -- National Cyber Awareness System - Weak Security Controls and Practices Routinely Exploited for Initial Access: https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
 +
* Elon Musk - Russian efforts to jam Starlink are 'ramping up': https://www.zdnet.com/article/elon-musk-says-russian-efforts-to-jam-starlink-are-ramping-up/
 +
* FBI and NSA say - Stop doing these 10 things that let the hackers in: https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/ | [https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF DOC]<ref>NSA, Allies Issue Cybersecurity Advisory on Weaknesses that Allow Initial Access: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3033563/nsa-allies-issue-cybersecurity-advisory-on-weaknesses-that-allow-initial-access/</ref>
 +
* Botnets, Telegram Helped Criminals Steal $163B in COVID Aid: https://securityboulevard.com/2022/05/botnets-telegram-helped-criminals-steal-163b-in-covid-aid/
 +
* State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US: https://www.infosecurity-magazine.com/news/statebacked-hacker-follina-attacks/
  
  
Line 1,361: Line 1,404:
 
== See Also ==
 
== See Also ==
  
[[WebApp]] | [[Web Service]] | [[Penetration Testing]] | [[Surveillance]] | [[Identification]] | [[Authentication]] | [[Authorization]] | [[Encryption]] | [[HTTPS]] | [[SSL]] | [[TLS]] | [[XSS]] | [[PGP]] | [[Network]] [[Firewall]] | [[TechDebt]]
+
[[WebApp]] | [[Web Service]] | [[Penetration Testing]] | [[Surveillance]] | [[Identification]] | [[Authentication]] | [[Authorization]] | [[Encryption]] | [[HTTPS]] | [[SSL]] | [[TLS]] | [[XSS]] | [[PGP]] | [[VPN]] | [[P2P]] | [[Network]] [[Firewall]] | [[TechDebt]] | [[DarkWeb]] | [[Quantum Computing]]

Latest revision as of 19:12, 21 June 2022

The message = Don't want anyone to see us naked on bike...
A.) HTTP = driving naked through windowed tunnel
B.) HTTPS = driving naked through covered tunnel
C.) Auth + MessageSigning/WS-Security = biking with clothes & helmet on (covered tunnel optional), extra security entourage keeps people far away so they can't stop your bike and/or strip your clothes off, guaranteed security but HTTPS covered tunnel optional

Security is the real or perceived protection from real or potential external and internal threats. Threats may be to personal harm, group harm or large-scale societal harm; and may come in any number of forms, from compromising of an individual (as in death or physical injury) to compromising of equipment (as in hardware damage, theft or vandalism) to information such as software or data (as in theft of customer data, company trade-secrets, leaking of personal emails, or overall damage to information consistency).



Contents

Specifications

PKI

Public-Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. A PKI consists of:

  1. A Certificate Authority (CA) that both issues and verifies the digital certificates.
  2. A Registration Authority (RA) which verifies the identity of users requesting information from the CA
  3. A central directory (i.e. a secure location in which to store and index keys)
  4. A certificate management system (i.e. a user interface or software tool exposing client/server or other architecture for displaying information such as public-private key pairs and key contents to authenticated/authorized user)

x509

PCI

The Payment Card Industry (PCI) is an informal and unofficial grouping for any company that processes payment for a product/service.

[1]

PCI SSC

Payment Card Industry Security Standards Council (PCI SSC) is an official group of payment processing providers and interested parties. When people talk about "PCI compliance", they really mean adherance to the set of standards by the PCI SSC.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard by the PCI SSC which is intended for organizations that handle cardholder information of any of the major debit, credit, prepaid, e-purse, ATM, and POS cards.

[2] [3] [4] [5]

PA-DSS

The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI SSC for the purpose of providing the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN.[6]

There are currently 14 requirements for PA-DSS compliance: 1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data. 2. Protect stored cardholder data. 3. Provide secure authentication features. 4. Log payment application activity. 5. Develop secure payment applications. 6. Protect wireless transmissions. 7. Test payment applications to address vulnerabilities. 8. Facilitate secure network implementation. 9. Cardholder data must never be stored on a server connected to the internet. 10. Facilitate secure remote software updates. 11. Facilitate secure remote access to payment application. 12. Encrypt sensitive traffic over public networks. 13. Encrypt all non-console administrative access. 14. Maintain instructional documentation and training programs for customers, resellers, and integrators. [7]

To date, less than 800 organizations have reached full PA-DSS compliance. [8]

CVSS

MITRE

[9] [10]


Jargon File

[11]

SRI

CSP

Content Security Policy (commonly abbreviated CSP)

[14]

Security.txt

[15] [16]

InfoSec frameworks

[17]

NIST

SP 800
CSF
SP 1800

ISO

27000 series

Covered within ISO standards 27001 & 27002, among others, this framework was developed and continues to be maintained by the International Organization for Standardization (ISO) and focuses on providing requirements of creating an Information Security Management System (ISMS). Their framework sets out to provide a systematic approach to risk management by focusing on controls to protect people, processes, and technology.

COBIT

Control Objectives for Information Technology (COBIT).


Algorithms

SHA

Secure Hash Algorithm (commonly abbreviated SHA) is a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, SHA-2 & SHA-3. The SHA-2 family uses an identical algorithm with a variable digest size which is distinguished as SHA-224, SHA-256, SHA-384, and SHA-512. The SHA-3 family is the most recent and secure (but costly/time-consuming), yet offers the same hash sizes as SHA-2.[18]

HMAC

Hash-based Message Authentication Code (commonly abbreviated HMAC), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key and the size of the hash output length in bits.[19]

MD5


E-Security

Electronic Security (commonly shortened as E-Security or eSecurity) is a concept representing the relative trustworthiness, reliability, access protections and safeguards against unauthorized access, tampering or damages to data or activities in any digital systems. These measures are designed to preserve the confidentiality and integrity of each and every user's data as well as more broadly to the protection of physical assets and/or intellectual property which may be accessed or protected electronically.[20]

Cybersecurity

Related to the concept of "E-Security" is the subset of "Cybersecurity" which focuses on the protection of all users' data and property as well as corporate data, physical assets and intellectual property which is potentially accessible over a network (typically focused broadly on the entire Internet and wide-area networks, but also applicable to corporate intranets and/or local network).

[21] [22] [23] [24] [25] [26] [27] [28]

Threat Assessment

[29] [30] [31] [32]

Security Awareness Training

[35]

Attacks

  • Denial-of-Service[36]
  • XSS
  • CSRF
  • SQL Injection
  • LDAP injection
  • Clickjacking
  • Session hijacking
  • URL manipulation
  • Parameter tampering
  • Authentication bypass
  • IDOR/BOLA[37][38][39]
  • Command injection (via HTML FORMs, GreaseMonkey, or DevTools)
  • Web services analysis (SOAP & REST protocol private/internal API attacks)
  • Java, Flash, ActiveX clients analysis
  • Active Content exploits
  • XML, XPATH, JSON injection
  • Remote file inclusion (via JSONp, File Upload forms, etc)
  • Malformed File Format & Memory buffer overrun (File Uploads)
  • Weak cryptographic mechanism exploits
  • Brute Force
  • Man-in-the-Middle
  • Relay
  • Phishing
  • Snooping
  • Forgery
  • Identity Fraud[40]
  • Keystroke Analysis
  • Spyware
  • Malware
  • Worm
  • Virus
  • Trojan Horse
  • Organizational In-Person Deception/Espionage
  • Malvertising
  • Request Stuffing

Phishing

[41] [42] [43] [44] [45] [46]

Spear-Phishing

Highly-targeted attacks directed at specific individuals or groups within a company such as those who make purchasing decisions, finance department members, managers, HR & hiring decision-makers, vendor selection, Security team leads, Developers, etc.

Whaling

Attacking top-level executives such as Presidents, C-suite and/or VPs.

Pharming

Vishing

Voice phishing (by mimicking IVR, caller ID / Voicemail services, or possibly even real-time or recorded faked voice transformations.

Smishing

SMS/MMS-based phishing attacks.

SQL Injection

SQL Injection is a common web application vulnerability whereby a database is attacked by injecting unwanted or undesirable SQL queries at the end of a valid and expected SQL query.

The most common solution to this problem is to clean the string by trimming it at the end of its known and allotted length, while also escaping and/or dropping any non-expected characters that could comprise security by running undesired code.


Clickjacking

[47] [48] [49] [50] [51]


Buffer Overflow

Cross-Site Scripting (XSS)

Server-Side Code Injection

Server-Side Include

Format String Error

Parameter Tampering

CRLF Injection

Remote OS Command Injection

Cross-site request forgery (CSRF)

Infinite Redirect

IDOR

Insecure Direct Object Reference (IDOR).

[52] [53] [54] [55] [56] [57]

XXE

Bit Flipping


Signal Spoofing

Using electrical signals or radio signals to interrupt other communications or trick software/hardware to divulge, erase, lock or otherwise manipulate information or settings on a device.


Ransomware

[58] [59] [60] [61] [62] [63] [64]


Killware

Malicious software or hardware hacks designed to injure, maim or kill individuals, groups or undisclosed (perhaps even unplanned/non-specific) members the general public.


Defenses

  • Caching
  • Logging
  • Observability & Real-time Event-Driven Alerting
  • Audits
  • Indicators Of Compromise (IOCs)
  • Intrusion Prevention
  • Intrusion Detection
  • Directories (w. user-centric permissions)
  • Honey Pots
  • Hashing
  • Encryption
  • Signatures (Digital Certificate, Elliptic Curve, etc...)
  • PKI (public/private keys)
  • Validation (inputs must match a certain pattern or they are ignored)
  • String Cleaning (HTML, Script tag, SQL and/or Server-side code removal)
  • Filters (purifiers, removal of specific types of text/patterns)
  • Type-checking (MIME-types delimitation/validation)
  • URL Encoding/Decoding
  • Firewalls
  • IPsec
  • Anti-Virus software

[65]

Auth

  • Authentication
  • Authorization
  • Basic (Username:Password via HTTP Header)
  • Digest (Username + Password + nonce/configs, sent in HTTP POST header only, automatically encrypted when using SSL/TLS)

[66]

DIGEST

HTTP Digest authentication differentiates from HTTP Basic authentication in that it specifies extra parameters that must appear in the challenge response's WWW-Authenticate header.


For instance, on an unauthenticated request to a DIGEST secured endpoint "https://localhost:8080/helloworld-webapp/account/username123" you should get a challenge response with HTTP status 401, and which contains the digest WWW-Authenticate header:

WWW-Authenticate: Digest realm="digest realm", qop="auth", nonce="1415713971682:2ffba5083baf438b90d2986cc77ae793", opaque="C4DAF43F253C0AFA5F006908F5595C8F"

Here are the additional parameters that need to be processed and sent in the response:

  1. digest - the authentication scheme
  2. realm - configurable on the server, for example, [<realm-name/>] on Tomcat
  3. (Quality of Protection) qop - indicates the required digest calculation
  4. nonce - A (cryptographic) nonce is a server-generated number, and is generated only once
  5. opaque - This is harder to explain quickly (see the following links for more), but is not part of the digest calculation, and should be returned unchanged.

These parameters are used by the client, to calculate the digest for the subsequent request's Authorization header; for example:

Authorization: Digest username="restuser", realm="digest realm", nonce="1415716491557:de6af453ecd19abca5d55334e8146831", uri="/helloworld-webapp/account/username123", response="2b9d6d028c50cdd5fca231dd0cbc2ffe", qop=auth, nc=00000001, cnonce="f494e7c6145efa8651123920df2b3a2d", opaque="C4DAF43F253C0AFA5F006908F5595C8F"

Strong Passwords

[68] [69] [70] [71] [72] [73]

Credential enumeration protection

[74] [75]

Credential recognition protection
Multi-Factor Authentication

There are potentially any combination of the following three factors:

  1. what you know - username, password, passphrase, etc
  2. what you are - biometrics such as fingerprint reader, facial recognition, iris/retina scan, gait pattern (physical facility surveillance), etc
  3. what you have - email address, phone number (calls or SMS text messages), encryption key fob, etc

[77]

OTP

Web-based One-Time Password (commonly referred to as WebOTP or 1-time-pass) can be used to verify phone numbers on the web.

Passwordless

[80] [81] [82] [83] [84] [85]

Password Managers

[87] [88] [89] [90] [91] [92] [93] [94] [95] [96] [97]

Secret Management


WAF


SIEM

[99] [100] [101] [102]


Zero-Trust


DevSecOps

DevSecOps is an architectural pattern or extension of DevOps whereby Security (just like the emphasis on quality) gets baked in tot he Products/Projects being delivered.

[103] [104] [105] [106] [107] [108]

Dependency Vulnerability Checker

[111] [112]

[113] [114] [115] [116] [117]

BoM

Bill of Materials (BoM).

[118]

SBOM

Software Bill of Materials (SBoM).

[119] [120] [121] [122] [123] [124] [125] [126]

SPDX

[127] [128]

SWID

[129]

CycloneDX

OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

[130] [131]

OpenChain

[132]

Secret protection

This includes API Keys, Tokens (JWT, auth tokens, Cookie IDentifiers, SessionIDs), Usernames/Passwords, encrypted hashes, public keys, and other forms of credentials or secrets. The best defense for these is ensuring they are never leaked in the first place.

Key rotation policies

These protect keys in the event of unauthorized access, snooping/spying (codebase, client-side code & network requests), accidental leaks, etc.


AST

Application Security Testing (AST).

SAST

Static Application Security Testing (SAST).

[133]

DAST

Dynamic Application Security Testing (DAST).

[134]

IAST

Interactive Application Security Testing (IAST).

[135]

RASP

Runtime Application Self-Protection (RASP).

[136]

PAC

[139]

Digital Signature

A Digital Signature is an electronic cryptographic identification or symbol representing an individual.

Checksum

A specific type of Digital Signature is a file or library checksum.


Watermark

[140]

Steganography

Hiding data within images (such as other images, secret messages, etc).


Security Headers

Content Security Policy

[145] [146] [147] [148] [149] [150] [151] [152] [153] [154] [155] [156] [157] [158] [159] [160] [161] [162] [163] [164] [165]

Principle of Least Privilege

Bug Bounty

[166]


Ethical Hacking

Ethical Hacking (related to "White hat" hacking). For hacking to be deemed ethical, the hacker must obey the following rules:

  1. Expressed (preferrably written) permission should be given to penetrate or access a network and attempt to identify potential security risks.
  2. Respect must be given to the individual's, company's or end users' privacy at all times.
  3. Hacking traces and/or exploits must be closed out, not leaving anything open for future exploits.
  4. Inform the software developer or hardware manufacturer of any security vulnerabilities (if not already known) which have been located in their software or hardware.

[167] [168]


Red Team

Red Teaming (also known as "Chaos Engineering") is the practice of deliberately attacking, misusing, or otherwise playing "devil's advocate" to ideation (if "Shift-left Red Teaming") of a given product, service or complete set of IT systems, for the purpose of uncovering any application-level or organization-level weaknesses or vulnerabilities and fixing them before they can be found or exploited by malicious parties such as geo-political adversaries, competitors or hackers.

Initially, where such a practice is not being carried out (maybe even frowned upon in the early days of introducing the concept) the "Red Team" is intentionally setup to provide controlled attempts to thwart, hack/crack/crash, or derail a given project. Later on, the role of the "Red Team" may be spread to specific representatives across departments/teams made up from roles from around the organization who understand the value of the "attack ourselves and find our weaknesses before our enemies do" mindset, so as to avoid creating yet another "security silo" or "security bottleneck".

[169] [170] [171] [172] [173] [174] [175] [176] [177] [178] [179] [180]

Blue Team


Tools


Anti-Virus Software

NETWORK


OS

VM


TESTING

[196][197][198]


DATA


Monitoring

TripWire

Scanning

OWASP

Open Web Application Security Project (OWASP).

[214] [215] [216] [217] [218] [219] [220] [221] [222] [223] [224] [225] [226] [227] [228]

DepedencyTrack
DependencyCheck

[229] [230] [231] [232] [233]

API Security
ZAP

[236] [237] [238] [239] [240] [241] [242] [243] [244] [245] [246] [247] [248] [249] [250] [251] [252] [253] [254] [255] [256] [257] [258] [259] [260] [261] [262]

MetaSploit

Arachni

  • Arachni: https://www.arachni-scanner.com | SRC (free, simple, distributed, intelligent, powerful, friendly application security scanner with network/SSL scanning capabilities)

[263] [264]

Minion

[265] [266] [267] [268]


Resources

[272] [273] [274]

[283] [284] [285]


Vulnerability Registries

[286] [287] [288] [289] [290] [291]

Vulnerable Websites/WebApps (for PenTesting)

For more info, see: Penetration Testing


Hacks

[293] [294] [295] [296] [297] [298] [299] [300] [301] [302] [303] [304] [305] [306] [307] [308] [309]


Breaches

Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises: https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises[314] [315]

[318]

[319] [320] [321]

[322] [323] [324] [325] [326] [327]

[328] [329] [330]

[331] [332] [333] [334] [335] [336] [337] [338]

[341] [342] [343] [344] [345] [346] [347] [348] [349] [350] [351] [352] [353] [354] [355] [356] [357] [358] [359] [360] [361] [362] [363] [364] [365] [366] [367]


Tutorials

[368] [369] [370] [371]

[372]


[379] [380] [381] [382]


External Links

* Capital One Says Data On 106 Million People Was Stolen: https://www.mediapost.com/publications/article/338724/capital-one-says-data-on-106-million-people-was-st.html

[395]

[396] [397]

[398]


References

  1. Securing the Future of Payments - PCI SSC Publishes PCI Data Security, Standard v4.0https://www.pcisecuritystandards.org/about_us/press_releases/pr_03312022
  2. PCI
  3. Payment Card Industry - Data Security Standard (DSS) v4.0: https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
  4. Payment Card Industry Data Security Standard Summary of Changes from PCI DSS Version 3.2.1 to 4.0: https://www.pcisecuritystandards.org/documents/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf
  5. What You Need to Know About PCI DSS 4.0's New Requirements: https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-
  6. wikipedia: PA-DSS
  7. PA-DSS -- Info & FAQ: http://www.elementps.com/software-providers/pa-dss/
  8. PA-DSS official providers: https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true
  9. Leveraging MITRE tools for effective Threat Informed Architecture: https://andrecamillo.medium.com/leveraging-mitre-tools-for-effective-threat-informed-archite-99f425567edd
  10. Container Security Threats Added to MITRE Attack Framework: https://containerjournal.com/features/container-security-threats-added-to-mitre-attack-framework/
  11. wikipedia: Jargon File
  12. HTML5 - SRI (code signing for JS, CSS, Fonts, etc): M.https://w3c.github.io/webappsec-subresource-integrity/
  13. [CSP] "sri" source expression to enforce SRI: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0045.html
  14. MDN -- CSP - "upgrade-insecure-requests": https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
  15. Does Your Organization Have a Security.txt File?: https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/
  16. Not Everything About ".well-known" is Well Known: https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/
  17. 7 Security Frameworks Every InfoSec Professional Should Know: https://medium.com/dark-roast-security/7-security-frameworks-every-infosec-professional-should-know-77a3c4fe2a2b
  18. wikipedia: SHA hash functions
  19. wikipedia: HMAC
  20. e-Security: http://www.elock.com/e-security.html
  21. Jobs in Information Security (InfoSec): https://shehackspurple.ca/2022/01/01/jobs-in-information-security-infosec/
  22. 8 funny cyber security quotes and why they matter to you: https://www.cybertalk.org/2021/10/29/8-funny-cyber-security-quotes-and-why-they-matter-to-you/
  23. 15 hilarious cyber security videos demonstrate the growing need for cyber security training while providing a bit of comedy relief: https://www.ecpi.edu/blog/15-hilarious-cyber-security-videos-inspire-your-it-security-career
  24. 19 of the funniest quotes about cyber security & tech: https://www.cybertalk.org/2021/07/14/19-of-the-funniest-quotes-about-cyber-security-tech/
  25. 2022 Cyber Attack Statistics, Data, and Trends: https://parachute.cloud/2022-cyber-attack-statistics-data-and-trends/
  26. 2022 Must-Know Cyber Attack Statistics and Trends: https://www.embroker.com/blog/cyber-attack-statistics/
  27. New federal bill would compel key industries to bolster cyber security — or pay a price: https://www.cbc.ca/news/politics/cyberattacks-bill-1.6487826
  28. More than 90% of cyberattacks are made possible by human error: https://techxplore.com/news/2022-06-cyberattacks-human-error.html
  29. CISA Releases New Tool to Help Organizations Guard Against Insider Threats: https://www.cisa.gov/news/2021/09/28/cisa-releases-new-tool-help-organizations-guard-against-insider-threats
  30. ESET -- Threat report 2021: https://www.welivesecurity.com/wp-content/uploads/2021/09/eset_threat_report_t22021.pdf
  31. National Security Agency (NSA) -- Cybersecurity & Infrastructure Security Agency (CISA) - Selecting and Hardening Remote Access VPN Solutions: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
  32. NSA, CISA Release VPN Security Guidance: https://www.govinfosecurity.com/nsa-cisa-release-vpn-security-guidance-a-17640
  33. Security Awareness and Training: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html
  34. Fredericton IT, cybersecurity firm attracting international attention: https://globalnews.ca/news/4605036/fredericton-cyber-security-international/
  35. Magic Quadrant for Security Awareness Computer-Based Training: https://www.gartner.com/doc/reprints?id=1-1OAYVTOT&ct=190723&st=sb
  36. How to Find DoS Attacks Exploit: https://www.shiftleft.io/how-to-find-dos-attack-exploit/
  37. OWASP -- API1:2019 — Broken Object Level Authorization (BOLA): https://apisecurity.io/encyclopedia/content/owasp/api1-broken-object-level-authorization
  38. A Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization): https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2
  39. OWASP -- Insecure Direct Object Reference (IDOR): https://owasp.org/www-chapter-ghana/assets/slides/IDOR.pdf
  40. Who’s Making All Those Scam Calls?: https://www.nytimes.com/2021/01/27/magazine/scam-call-centers.html
  41. ScamBusters: https://www.scambusters.org/
  42. Phishing Emails -- A Field Guide: https://www.barkly.com/how-to-recognize-and-prevent-phishing-attacks
  43. The American Greed Report -- Online shopping scams - Eight signs you’re on a fake site: https://www.cnbc.com/2017/06/16/online-shopping-scams-how-to-identify-fake-sites.html
  44. A Guide For Protecting Yourself From Identity Theft: https://hackernoon.com/a-guide-for-protecting-yourself-from-identity-theft-84d332385193
  45. Watch Out For This New Amazon Email Phishing Scam: https://www.howtogeek.com/697176/psa-watch-out-for-this-new-amazon-email-phishing-scam/
  46. Browser In The Browser (BITB) Attack -- Behold, a password phishing site that can trick even savvy users: https://arstechnica.com/information-technology/2022/03/behold-a-password-phishing-site-that-can-trick-even-savvy-users/
  47. X-Frame-Options Allow-From multiple domains: https://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains/43323121#43323121
  48. HTTP Header Frame Options: https://tools.ietf.org/html/draft-gondrom-frame-options-01
  49. IE8 Security Part VII -- ClickJacking Defenses: https://blogs.msdn.microsoft.com/ie/2009/01/27/ie8-security-part-vii-clickjacking-defenses/
  50. Combating ClickJacking With X-Frame-Options: https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
  51. Declaring Security: https://blogs.msdn.microsoft.com/ie/2009/06/25/declaring-security/
  52. Explaining various IDOR exploit techniques: https://notes.mufaddal.info/web/idor
  53. IDOR explained: https://hackersonlineclub.com/insecure-direct-object-references-idor-vulnerability-explain/
  54. Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1): https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782
  55. Privilege Escalation & IDOR to delete anyone's support ticket: https://securitytraning.com/privilege-escalation-idor-delete-any-ones-support-ticket/unlocked-1/
  56. Pen Tester's guide to IDOR: https://book.hacktricks.xyz/pentesting-web/idor
  57. Website Hacking with Insecure Direct Object Reference (VIDEO): https://www.youtube.com/watch?v=dv6TOd2mY2A
  58. Where ransomware goes next - Your phone, your TV, your servers: http://www.zdnet.com/article/where-ransomware-goes-next-your-phone-your-tv-your-servers/ (Cyber-cops list cryptoware as their 'dominant concern' and warn that it will target more devices and aim for higher-value targets)
  59. Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/
  60. US recovers most of Colonial Pipeline's $4.4M ransomware payment: https://www.bleepingcomputer.com/news/security/us-recovers-most-of-colonial-pipelines-44m-ransomware-payment/
  61. Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside: https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
  62. US Treasury Dept. sanctions Russian cryptocurrency exchange for work with ransomware groups:https://www.zdnet.com/article/us-treasury-dept-sanctions-russian-cryptocurrency-exchange-for-work-with-ransomware-groups/
  63. US Dept. of the Treasury -- Taking Robust Actions to Counter Ransomware: https://home.treasury.gov/news/press-releases/jy0364
  64. The Biggest Ransomware Bust Yet Might Actually Make an Impact: https://www.wired.com/story/ransomware-revil-arrest-kaseya/
  65. Microsoft's new "AI Security scanning tool" spots critical security bugs 97% of the time: https://venturebeat.com/2020/04/16/ai-spots-critical-microsoft-security-bugs-97-of-the-time/
  66. Something You Know, Have, or Are: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
  67. Password Strength Test: http://rumkin.com/tools/password/passchk.php
  68. NIST’s new password rules – what you need to know: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
  69. FTC -- Time to rethink mandatory password changes: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
  70. Don't Pass on the New NIST Password Guidelines: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
  71. We Didn't Encrypt Your Password, We Hashed It. Here's What That Means: https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/
  72. Should You Change Your Passwords Regularly? (yes & no): https://www.howtogeek.com/187645/htg-explains-should-you-regularly-change-your-passwords/
  73. The 20 Most Common Passwords Found On The Dark Web: https://www.huffingtonpost.co.uk/entry/most-common-passwords-dark-web_l_602eba75c5b66dfc101d3a16
  74. “Invalid Username or Password” - a useless security measure: https://web.archive.org/web/20150315065857/https://kev.inburke.com/kevin/invalid-username-or-password-useless/
  75. OS Credential Dumping: https://attack.mitre.org/techniques/T1003/
  76. The efficiency of Microsoft. Or how the Microsoft MFA system almost brought me to a complete nervous breakdown in under 24 hours.: https://kgizdov.medium.com/the-efficiency-of-microsoft-e50ea81f69f5
  77. How MFA Can Be Used Against You: https://dzone.com/articles/how-mfa-can-be-used-against-you
  78. OpenSSH/Cookbook/Public Key Authentication passwordless login with Public/Private SSH key pair: https://en.m.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
  79. SSH Passwordless Login Using SSH Keygen in 5 Easy Steps: https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
  80. SSH login without password: https://linuxconfig.org/passwordless-ssh
  81. Microsoft Hello - The end of passwords: https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless
  82. Passwordless phone sign-in with the Microsoft Authenticator app (public preview): https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
  83. How to Enable No Password Login on Raspberry Pi: https://www.jaredwolff.com/passwordless-ssh-raspberry-pi/#show1
  84. Auth0 - Passwordless login: https://auth0.com/passwordless
  85. Inside FIDO Alliance’s vision of a future free of passwords: https://thenextweb.com/security/2020/10/09/inside-fido-alliances-vision-of-a-future-free-of-passwords/
  86. KeePassXC: https://keepassxc.org/ (performant Windows client for KeePass)
  87. You Need a Password Manager — Just Don’t Use LastPass: https://debugger.medium.com/you-need-a-password-manager-just-dont-use-lastpass-4b4ef3d485f
  88. The Best Password Managers to Secure Your Digital Life: https://www.wired.com/story/best-password-managers/
  89. Best password manager to use for 2021 - 1Password, LastPass and more compared: https://www.cnet.com/how-to/best-password-manager/
  90. The Best Password Managers for 2021: https://www.pcmag.com/picks/the-best-password-managers
  91. LastPass can now proactively tell you if your passwords have been compromised — for a price: https://www.theverge.com/2020/8/5/21323438/lastpass-passwords-dark-web-monitoring-new-security-dashboard
  92. LastPass password manager hacked: https://www.cbsnews.com/news/lastpass-password-manager-hacked/
  93. LastPass Hacked – Identified Early & Resolved: https://blog.lastpass.com/2015/06/lastpass-security-notice/
  94. Which "password managers" have been hacked: https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/
  95. LastPass, 1Password and other password managers can be hacked -- What to do now: https://www.tomsguide.com/news/password-manager-hacks
  96. LastPass security history -- what if your password manager got hacked?: https://www.lastpass.com/security/what-if-lastpass-gets-hacked
  97. The 1Password Disaster (And Two Brilliant 1Password Alternatives): https://markellisreviews.com/the-1password-disaster-and-two-brilliant-1password-alternatives/
  98. Login MFA Support Added to Vault Open Source and HCP Vault: https://www.hashicorp.com/blog/login-mfa-support-added-to-vault-open-source-and-hcp-vault
  99. What is SIEM? A Beginner’s Guide: https://www.varonis.com/blog/what-is-siem
  100. What Is Security Information and Event Management (SIEM)?: https://www.mcafee.com/enterprise/en-us/security-awareness/operations/what-is-siem.html
  101. What is SIEM?: https://www.ibm.com/topics/siem
  102. Security Information and Event Management (SIEM): https://www.crowdstrike.com/cybersecurity-101/security-information-and-event-management-siem/
  103. WhiteHat Report -- DevSecOps Adoption on the Rise: https://securityboulevard.com/2019/08/whitehat-report-devsecops-adoption-on-the-rise/ (rate of vulnerabilities being found proactively increases, time-to-remediate not budging)
  104. Managing Secrets in DevOps -- A Maturity Mode: https://www.conjur.org/blog/managing-secrets-in-devops-a-maturity-model/
  105. Top 5 Challenges of DevSecOps and How to Overcome Them: https://dzone.com/articles/top-5-challenges-of-devsecops-amp-how-to-overcome
  106. Shifting Security Left -- The Innovation of DevSecOps: https://www.alldaydevops.com/blog/shifting-security-left-the-innovation-of-devsecops-1
  107. US Executive Order on Cybersecurity -- Software Bill of Materials (SBOM) - What it Means for DevOps: https://jfrog.com/blog/us-executive-order-on-cybersecurity-what-it-means-for-devops/
  108. Secrets Detection on Pull Request… The DevSecOps Way: https://medium.com/@galsegal_85810/secrets-detection-on-pull-request-the-devsecops-way-8bbd9759a695
  109. Security Content Automation Protocol -- Common Platform Enumeration (CPE): https://csrc.nist.gov/projects/security-content-automation-protocol/scap-specifications/cpe
  110. MITRE Launches Centers to Protect Infrastructure and Health: https://www.govinfosecurity.com/mitre-launches-centers-to-protect-infrastructure-health-a-17734
  111. Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD: https://github.com/jeremylong/DependencyCheck/issues/523
  112. Dependency-Check Jenkins plugin -- v4.x to v5.x Migration: https://github.com/jenkinsci/dependency-check-plugin/wiki/v5-Migration
  113. Eclipse plugin -- Snyk Security Scanner: https://marketplace.eclipse.org/content/snyk-vuln-scanner | DOCS
  114. Snyk for Eclipse tutorial: https://snyk.io/blog/fix-open-source-vulnerabilities-directly-from-your-eclipse-ide/
  115. Snyk snags $150M investment as its valuation surpasses $1B: https://techcrunch.com/2020/01/21/snyk-snags-150m-investment-as-its-valuation-surpasses-1b/
  116. Snyk Releases Enhanced Vulnerability Prioritization Features: https://www.infoq.com/news/2020/08/snyk-vulnerability/
  117. Vulnerability analysis with Red Hat CodeReady Dependency Analytics and Snyk Intel: https://developers.redhat.com/blog/2020/08/28/vulnerability-analysis-with-red-hat-codeready-dependency-analytics-and-snyk/
  118. What is a software supply chain?: https://www.sonatype.com/resources/software-supply-chain-management-part-1-what-is-a-software-supply-chain
  119. wikipedia: Software bill of materials
  120. The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness: https://www.linuxfoundation.org/tools/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness/
  121. FOSSA Receives Highest Scores Possible in License Risk Management, SBOM Criteria in Forrester Wave: https://fossa.com/blog/fossa-receives-highest-scores-license-risk-management-sbom-forrester-wave/
  122. What is an SBOM?: https://www.linuxfoundation.org/blog/what-is-an-sbom/
  123. Framing Software Component Transparency - Establishing a Common Software Bill of Material (SBOM): https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf
  124. Software Bill of Materials -- Elements & Considerations: https://www.ntia.gov/files/ntia/publications/frn-sbom-rfc-06022021.pdf
  125. Why You Should Rethink Your Software Bill of Materials (SBOM): https://dzone.com/articles/why-you-should-rethink-your-software-bill-of-mater
  126. Report -- Fewer than half of companies are creating or using a Software Bill of Materials (SBoM): https://sdtimes.com/softwaredev/report-fewer-than-half-of-companies-are-creating-or-using-a-software-bill-of-materials/
  127. wikipedia: Software Package Data Exchange (SPDX)
  128. Maven Plugins - SPDX: https://github.com/spdx/spdx-maven-plugin
  129. wikipedia: SWID
  130. wikipedia: CycloneDX
  131. Maven Plugins - CycloneDX: https://github.com/CycloneDX/cyclonedx-maven-plugin
  132. OpenChain + SPDX Lite – Credit where Credit is due: https://www.openchainproject.org/news/2020/02/24/openchain-spdx-lite-credit-where-credit-is-due
  133. Open-sourcing Mariana Trench - Analyzing Android and Java app security in depth: https://engineering.fb.com/2021/09/29/security/mariana-trench/
  134. SAST .vs. DAST -- What’s the best method for application security testing? (INFOGRAPHIC): https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/ (also includes side-by-side comparison)
  135. What is "Interactive Application Security Testing" (IAST) and how does it work?: https://www.synopsys.com/glossary/what-is-iast.html
  136. SAST, DAST, IAST and RASP: https://www.imperva.com/learn/application-security/sast-iast-dast/
  137. Can’t Clone Git Respository in SourceTree: Failed to connect….No error: http://www.jonathanmedd.net/2015/06/cant-clone-git-respository-in-sourcetree-failed-to-connect-no-error.html
  138. Installing SourceTree 1.10 in an offline environment: https://community.atlassian.com/t5/SourceTree-questions/Installing-SourceTree-1-10-in-an-offline-environment/qaq-p/386124
  139. Getting git to work with a proxy server: https://stackoverflow.com/questions/783811/getting-git-to-work-with-a-proxy-server
  140. Watermarks - New ways to see and search them: https://blog.nationalarchives.gov.uk/watermarks-new-ways-to-see-and-search-them/
  141. New in CSP 2.0 form-action a key new Header directive for controlling what servers a FORM on your site can be submitted to: https://www.w3.org/TR/CSP2/#directive-form-action
  142. Secure your website with Content Security Policy: https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html
  143. Implementing Content Security Policy: https://hacks.mozilla.org/2016/02/implementing-content-security-policy/
  144. Google Fonts violates Content Security Policy (what needs to be whitelisted?!): https://stackoverflow.com/questions/33984908/google-fonts-violates-content-security-policy (ANSWER: style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;)
  145. Exploiting weak Content Security Policy (CSP) rules for fun and profit: https://dubell.io/exploiting-weak-content-security-policy-csp-rules-for-fun-and-profit/
  146. Webmasters, your CSP could break PCI DSS compliance & leak sensitive data: https://isecguy.wordpress.com/2016/04/19/webmasters-your-content-security-policy-could-break-pci-dss-compliance-leak-sensitive-data/ (if you're using the report-uri logging directive, especially if sending to a 3rd-party Logging Analytics service)
  147. MDN -- CSP - script-src: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
  148. MDN -- window.postMessage(): https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
  149. Play safely in sandboxed IFrames: https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
  150. Working around Content Security Policy issues in Chrome Extensions: https://www.moesif.com/blog/engineering/chrome extensions/Working-Around-Content-Security-Policy-Issues-in-Chrome-Extensions/
  151. Browser implementations of Content Security Policy introduce security problems: https://www.synopsys.com/blogs/software-security/content-security-policy/
  152. Data Exfiltration in the Face of CSP: http://www.cse.chalmers.se/~andrei/asiaccs16.pdf
  153. CSP -- "frame-src": https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
  154. CSP -- frame-ancestors: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
  155. postMessage and header errors in Chrome: https://github.com/mozilla/persona/issues/4083
  156. Cross-window communication (security guide): https://javascript.info/cross-window-communication
  157. Re: CSP and PostMessage?: https://lists.w3.org/Archives/Public/public-web-security/2011Dec/ (click through thread to see answers on CSP configs and impact on postMessage)
  158. Injecting iframe into page with restrictive Content Security Policy: https://stackoverflow.com/questions/24641592/injecting-iframe-into-page-with-restrictive-content-security-policy#24649134
  159. Cordova - CSP refuses to load media blob: https://stackoverflow.com/questions/42672508/cordova-csp-refuses-to-load-media-blob
  160. Error -- Refused to connect to 'blob:': https://github.com/localForage/localForage/issues/445
  161. Extension refuses to load the script due to Content Security Policy directive: https://stackoverflow.com/questions/25867584/extension-refuses-to-load-the-script-due-to-content-security-policy-directive
  162. Chrome and Firefox won't send form data to HTTP URL from HTTPS site: https://github.com/twitter/secure_headers/issues/221
  163. Clickjacking Defense Cheat Sheet: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations (frame-ancestors is the rule to use within a CSP, rather than, or in addition to, traditional X-FRAME-OPTIONS header)
  164. How I failed to implement CSP: https://advancedweb.hu/2018/10/09/failed_csp/
  165. Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP): https://web.dev/strict-csp/
  166. Google Pays Out Millions To Squash Bugs: https://www.mediapost.com/publications/article/331726/google-pays-out-millions-to-squash-bugs.html
  167. Ethical Hacking - Quick Guide: https://www.tutorialspoint.com/ethical_hacking/ethical_hacking_quick_guide.htm
  168. 20 Hours, $18, and 11 Million Passwords Cracked: https://medium.com/hackernoon/20-hours-18-and-11-million-passwords-cracked-c4513f61fdb1
  169. Red Team -- Pwning the Hearts and Minds one Ticket at a Time: https://www.devsecops.org/blog/2015/12/10/red-team-pwning-the-hearts-and-minds-one-ticket-at-a-time
  170. 9 Evil Bash Commands Explained: https://dev.to/devmount/9-evil-bash-commands-explained-4k5e
  171. Blueprint for a team with a DevOps mindset: https://opensource.com/article/18/12/blueprint-team-devops-mindset
  172. Modern red teaming -- 21 resources for your security team: https://techbeacon.com/security/modern-red-teaming-21-resources-your-security-team
  173. Mindset shift to a DevSecOps culture: https://docs.microsoft.com/en-us/azure/devops/learn/devops-at-microsoft/security-in-devops
  174. Red team, blue team -- How to run an effective simulation: https://www.networkworld.com/article/2278686/lan-wan/red-team--blue-team--how-to-run-an-effective-simulation.html
  175. 6 reasons to hire a red team to harden your app sec: https://techbeacon.com/app-dev-testing/6-reasons-hire-red-team-harden-your-app-sec
  176. Intuit’s DevSecOps -- War Games & Culture Hacking: https://devops.com/intuits-devsecops-war-games-culture-hacking/
  177. Red Team the Cultural taem change inspired by "DevSecOps" — A look at what it is: https://medium.com/what-about-security/red-team-the-culture-with-devsecops-a-look-at-what-it-is-79bb386a89c8
  178. Wargames: https://overthewire.org/wargames/ (learn and practice security concepts in the form of fun-filled attack/defend games)
  179. How to integrate IT security in a company - The five pillars of IT security: https://blog.codecentric.de/en/2020/10/how-to-integrate-it-security-in-a-company/ (Visibility, Investigation, Governance, Fulfillment, Threat Hunting)
  180. How much does it cost to build a 24x7 Security Operations Center (SOC)?: https://expel.io/blog/how-much-does-it-cost-to-build-a-24x7-soc/
  181. Project Svalbard, Have I Been Pwned and its Ongoing Independen: https://www.troyhunt.com/project-svalbard-have-i-been-pwned-and-its-ongoing-independence/
  182. I'm Open Sourcing the Have I Been Pwned Code Base: https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/
  183. Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI: https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/
  184. FBI to Share Compromised Passwords With Have I Been Pwned: https://www.govinfosecurity.com/fbi-to-share-compromised-passwords-have-i-been-pwned-a-16760
  185. Check a CSP:
  186. Serverless... Security?: https://dzone.com/articles/serverless-security
  187. How to add mod_headers directive in Apache: https://stackoverflow.com/questions/21295763/mod-headers-module-does-not-load-though-its-enabled-in-httpd-conf
  188. What if China went all GitHub on your website? Grab this coding tool: http://www.theregister.co.uk/2016/01/15/china_github_attack_defence_test/
  189. Free Tool Helps Security Teams Measure Their API Attack Surface: https://www.darkreading.com/dr-tech/free-tool-helps-security-teams-measure-their-api-attack-surface
  190. BitLocker - Drive preparation tool: https://www.microsoft.com/en-us/download/details.aspx?id=7806
  191. Hardware (OEM) makers' Guide to BitLocker: http://msdn.microsoft.com/en-us/library/windows/hardware/dn653315(v=vs.85).aspx
  192. BitLocker Drive Encryption (Technical) Overview: http://technet.microsoft.com/en-us/library/cc732774.aspx
  193. Windows BitLocker Drive Encryption Step-by-Step (User) Guide -- BitLocker: http://technet.microsoft.com/en-us/library/cc766295(v=ws.10).aspx
  194. How to Turn On or Off BitLocker for Windows 8 OS Drive with or without TPM: http://www.eightforums.com/tutorials/21271-bitlocker-turn-off-os-drive-windows-8-a.html
  195. How to Set Up BitLocker Encryption on Windows: http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/
  196. Anti-Virus Market Share Report June 2012: http://www.opswat.com/about/media/reports/antivirus-june-2012
  197. HOME AntiVirus Benchmark Tests: http://www.av-test.org/en/tests/home-user/
  198. Kaspersky software reverse engineered by NSA, GCHQ: Report: http://www.zdnet.com/article/kaspersky-software-reverse-engineered-by-nsa-gchq-report/
  199. Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a
  200. Is there any documentation for xmlseclibs?: http://stackoverflow.com/questions/24922384/is-there-any-documentation-for-xmlseclibs
  201. Which is the proper XML exclusive canonicalization?: http://stackoverflow.com/questions/2200988/which-is-the-proper-xml-exclusive-canonicalization
  202. Google has released its enterprise network vulnerability scanner as open source via GitHub: https://alternativeto.net/news/2020/7/google-has-released-its-enterprise-network-vulnerability-scanner-as-open-source-via-github/
  203. Google open-sources Tsunami vulnerability scanner: https://www.zdnet.com/article/google-open-sources-tsunami-vulnerability-scanner/
  204. OWASP AntiSamy Project: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
  205. OWASP Top 10 #10 -- Unprotected APIs (Updated 2018): https://resources.infosecinstitute.com/owasp-top-10-10-unprotected-apis/
  206. OWASP Top 10 Training Boot Camp: https://www.infosecinstitute.com/courses/owasp-top-10-boot-camp/
  207. New OWASP List Highlights API Security Holes: https://securityboulevard.com/2019/09/new-owasp-list-highlights-api-security-holes/
  208. OWASP API Security Top 10 -- Get your dev team up to speed: https://techbeacon.com/security/owasp-api-security-top-10-get-your-dev-team-speed
  209. Gartner -- How to Build an Effective API Security Strategy: https://www.gartner.com/doc/3834704
  210. Gartner -- API Insecurity - The Lurking Threat In Your Software: https://www.forrester.com/report/API+Insecurity+The+Lurking+Threat+In+Your+Software/-/E-RES142080?objectid=RES142080
  211. Guide to the OWASP Benchmark v1.1,1.2: https://rawgit.com/OWASP/Benchmark/master/scorecard/OWASP_Benchmark_Home.html
  212. ShiftLeft -- OWASP SAST Benchmark: https://www.shiftleft.io/images/OWASP-SAS-Benchmark-Whitepaper.pdf
  213. OWASP Security Testing checklist: https://www.owasp.org/index.php/Testing_Checklist
  214. OWASP -- DevSecOps days: https://soundcloud.com/owasp-podcast
  215. OWASP, Antisamy, and Sightly in AEM: http://www.aemmastery.com/2015/04/23/owasp-antisamy-sightly-aem/
  216. Setting a Baseline for Web Security Controls: http://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/
  217. OWASP Top 10 -- What's missing for enterprise app sec: https://techbeacon.com/owasp-top-10-whats-missing-enterprise-app-sec
  218. Preparing to Release the OWASP IoT Top 10 2018: https://danielmiessler.com/blog/preparing-to-release-the-owasp-iot-top-10-2018/
  219. OWASP- Top 10 Vulnerabilities in web applications (updated for 2018): https://www.greycampus.com/blog/information-security/owasp-top-vulnerabilities-in-web-applications
  220. OWASP Cornucopia -- card game to assist software development teams identify security requirements: https://www.owasp.org/index.php/OWASP_Cornucopia
  221. OWASP WebSpa Project: https://www.owasp.org/index.php/OWASP_WebSpa_Project
  222. OWASP WebSpa - The Concept of Web Knocking and a Tool to Go With it: https://www.owasp.org/images/9/91/OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx
  223. Software Assurance Marketplace (SWAMP): https://continuousassurance.org/
  224. OWASP - SWAMP: https://www.owasp.org/index.php/SWAMP_OWASP
  225. NIST Data Mirror: https://github.com/stevespringett/nist-data-mirror (CLI tool in Java to grab CVEs)
  226. Unable to download NVD CVE data: https://github.com/jeremylong/DependencyCheck/issues/1558
  227. Unable to download meta file "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta": https://github.com/jeremylong/DependencyCheck/issues/2039
  228. How to do application security on a budget: https://techbeacon.com/security/how-do-application-security-budget
  229. Checking vulnerabilities in 3rd party dependencies using OWASP Dependency-Check Plugin in Jenkins: https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 (great advice for how to setup v1.x-4.x but not exact same steps for 5.x)
  230. Using OWASP Dependency check with SonarQube: https://maartenderaedemaeker.be/2017/07/27/using-owasp-dependency-check/
  231. OWASP Dependency Check for Vulnerability Reporting: https://keyholesoftware.com/2018/06/14/owasp-dependency-check-for-vulnerability-reporting/
  232. OWASP Dependency-Check - How Does It Work?: https://resources.whitesourcesoftware.com/blog-whitesource/owasp-dependency-check
  233. Sec in your DevOps -- Adding the OWASP Dependency Check to your Jenkins pipeline: https://www.nagarrosecurity.com/blog/adding-owasp-dependency-check-to-jenkins
  234. wikipedia: OWASP ZAP
  235. OWASP ZAP -- Getting Started Guide: https://github.com/zaproxy/zaproxy/releases/download/2.7.0/ZAPGettingStartedGuide-2.7.pdf
  236. ZAP local setup: https://www.youtube.com/watch?v=7xpjLaCCJWM
  237. Jenkins plugin -- OWASP-Jenkins: https://github.com/jay-johnson/owasp-jenkins
  238. Automating Security Testing of web applications using OWASP Zed Attack Proxy in Jenkins: https://medium.com/@PrakhashS/automating-security-testing-of-web-applications-using-owasp-zed-attack-proxy-in-jenkins-aa0f9eafdcba
  239. Automating the boring stuff in development using ZAP & Jenkins Continuous Integration: https://medium.com/@PrakhashS/automating-the-boring-stuffs-using-zap-and-jenkins-continues-integration-d4461a6ace1a
  240. ZAP -- Jenkins plugin setup (WALKTHROUGH): https://www.youtube.com/watch?v=mmHZLSffCUg
  241. OWASP ZAP Official Jenkins Plugin: https://www.youtube.com/watch?v=ZxCy1jrsYnY (good presentation where the plugin was introduced, but demo too grainy, refer to walkthrough video above)
  242. Intro & ZAP Jenkins Plugin: https://www.youtube.com/watch?v=m_WVXJemIjM
  243. Security Testing for Developers Using OWASP ZAP: https://www.youtube.com/watch?v=_MmDWenz-6U
  244. ZAP wiki -- Tutorial Videos: https://github.com/zaproxy/zaproxy/wiki/Videos
  245. ZAP tutorials youtube playlist: https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB
  246. ZAP Baseline Scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan (Python-based basic Penetration Test, just feed in one parameter, the URL to attack/check)
  247. ZAP API Scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan
  248. Scripting with OWASP ZAP: https://www.coveros.com/scripting-owasp-zap/
  249. Scripting with ZAP -- adding a new header to each scan request: https://www.securify.nl/blog/SFY20170301/scripting-with-zap_-adding-a-new-header-to-each-scan-request.html
  250. Security Testing for APIs using ZAP: https://medium.com/@PrakhashS/security-testing-for-apis-using-zap-5df8ec07a131
  251. Exploring APIs with ZAP: https://zaproxy.blogspot.com/2017/04/exploring-apis-with-zap.html
  252. OWASP ZAP API demonstration - Extended: https://vimeo.com/120030830
  253. Beating the Cost, Time, and Quality Equation With OWASP ZAP Automation: http://urbantechtimes.com/uncategorized/beating-the-cost-time-and-quality-equation-with-owasp-zap-automation/
  254. ZAP Tutorial - Authentication, Session and Users Management: https://www.youtube.com/watch?v=cR4gw-cPZOA
  255. OWASP ZAP Official Jenkins Plugin walkthrough & Demo - Goran Sarenkapa: https://www.youtube.com/watch?v=ZxCy1jrsYnY
  256. Automating security tests using OWASP ZAP & Jenkins: https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html
  257. Getting error in python code for automate owsap zap for the application: https://stackoverflow.com/questions/45566018/getting-error-in-python-code-for-automate-owsap-zap-for-the-application/45588479?noredirect=1#comment78136492_45588479
  258. How to create HTML report for ZAP (OWASP) using Python API script which integrates with Jenkins: https://stackoverflow.com/questions/45617031/how-to-create-html-report-for-zapowasp-using-python-api-script-which-integrate
  259. ZAP -- Help Addons, Quickstart & Cmdline: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsQuickstartCmdline
  260. How to speed up OWASP ZAP scans: https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/
  261. Getting Started with ZAP and the OWASP Top 10 -- Common Questions: https://www.denimgroup.com/resources/blog/2015/07/getting-started-questions/
  262. Stop Using Burp Suite, Use ZAP!: https://medium.com/geekculture/%EF%B8%8Fstop-using-burp-suite-use-zap-fd68bf12d63e
  263. Arachni checks: https://www.arachni-scanner.com/features/framework/#Checks
  264. Arachni OSS is no longer maintained: https://www.arachni-scanner.com/blog/arachni-is-no-longer-maintained/ (moving to commercial scanning algorithm)
  265. Mozilla’s giving you a free Minion for developer-first security: https://venturebeat.com/2013/07/30/minion-web-security/
  266. MINION – MOZILLA SECURITY TESTING FRAMEWORK: https://www.darknet.org.uk/2016/12/minion-mozilla-security-testing-framework/
  267. Minion - BREACH exploit checker (PLUGIN): https://github.com/mozilla/minion-breach-plugin
  268. Introducing Minion: https://blog.mozilla.org/security/2013/07/30/introducing-minion/
  269. wikipedia: ISO/IEC_27001
  270. What is ISO/IEC 27001 for Information Security Management System (ISMS)?: https://www.imperva.com/learn/data-security/iso-27001/
  271. Microsoft compliance to ISO/IEC 27001:2013 Information Security Management Standards: https://docs.microsoft.com/en-us/compliance/regulatory/offering-iso-27001
  272. Getting Started with the NIST Cybersecurity Framework - A Quick Start Guide: https://csrc.nist.gov/Projects/cybersecurity-framework/nist-cybersecurity-framework-a-quick-start-guide
  273. How to Use NIST Cybersecurity Framework (CSF) to Map Risk to Cyber Threats and Enable Zero Trust: https://medium.com/technology-hits/how-to-use-nist-cybersecurity-framework-csf-to-map-risk-to-cyber-threats-and-enable-zero-trust-d794c8f411dc
  274. NIST -- CyberSecurity (WHITEPAPER) - Planning for a Zero Trust Architecture, A Starting Guide for Administrators: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.08042021-draft.pdf
  275. Clarifying Government Security Clearances: Protected Level B: http://blog.allmove.com/government-clearances/clarifying-government-security-clearances-protected-level-b/
  276. Canada Firearms Act: http://laws-lois.justice.gc.ca/eng/acts/F-11.6/page-3.html#docCont
  277. Canadian Firearms License: http://www.rcmp-grc.gc.ca/cfp-pcaf/faq/lic-per-eng.htm
  278. Canadian Firearms Safety Course: http://www.rcmp-grc.gc.ca/cfp-pcaf/safe_sur/cour-eng.htm
  279. RCMP - Official Firearms Safety Training course: http://www.rcmp-grc.gc.ca/cfp-pcaf/safe_sur/index-eng.htm
  280. Restricted Firearms safety course: http://www.rcmp-grc.gc.ca/cfp-pcaf/safe_sur/cour-res-eng.htm
  281. UN -- Sanctions List: https://www.un.org/securitycouncil/sanctions/2048/sanctions-list-materials (known Terrorists)
  282. Subscribe to the Application Security Podcast: https://www.appsecpodcast.org/subscribe-to-podcast/
  283. 20 API security resources that you can’t afford to miss: https://blog.imvision.ai/our-top-list-of-18-api-security-related-articles-and-resources-that-you-cannot-afford-to-miss
  284. Attack vectors of compromised Email: https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
  285. Attack vectors of compromised Computer: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
  286. Launching "Open Source Vulnerabilities" (OSV) - Better vulnerability triage for open source: https://opensource.googleblog.com/2021/02/launching-osv-better-vulnerability.html
  287. Google's "Announcing a unified vulnerability schema" for open source: https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html
  288. Finding Critical Open Source Projects: https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html
  289. A shared vulnerability format for open-source packages: https://docs.google.com/document/d/1sylBGNooKtf220RHQn1I8pZRmqXZQADDQ_TOABrKTpA/edit#heading=h.ss425olznxo
  290. Google rolls out a unified security vulnerability schema for open-source software: https://www.zdnet.com/article/google-rolls-out-a-unified-security-vulnerability-schema-for-open-source-software/
  291. Google pushes bug databases to get on the same page for open-source security: https://www.theregister.com/2021/06/24/google_security_fix/
  292. OWASP Vulnerable Web Applications Directory: https://owasp.org/www-project-vulnerable-web-applications-directory/
  293. Apache Log4j Security Vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
  294. Log4j 2.x -- SLF4J Binding: https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/
  295. Simple Logging Facade for Java (SLF4J) -- Comments on the CVE-2021-44228 vulnerability: http://slf4j.org/log4shell.html
  296. Bridging legacy APIs: www.slf4j.org/legacy.html
  297. Critical New 0-day Vulnerability in Popular Log4j Library Discovered with Evidence of Mass Scanning for Affected Applications: https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild
  298. (Sonatype offers practical advice on how to) Find and Fix Log4j: https://help.sonatype.com/docs/important-announcements/find-and-fix-log4j
  299. Snyk's CLI "Log4Shell checking" command: https://updates.snyk.io/cli-log4shell-command-217064
  300. Kaspersky -- Critical vulnerability in Apache Log4j library: https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/
  301. Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit: https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/
  302. Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk: https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
  303. YCombinator forums -- Log4j - Remote Code Execution (RCE) found: https://news.ycombinator.com/item?id=29504755
  304. New "Zero-day exploit" for Log4J Java logging library (aka. "log4shell" & "logjam" exploit): https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
  305. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
  306. "Traceable AI" can help detect & protect against Log4Shell, the Log4j RCE Zero-day Vulnerability (CVE-2021-44228): https://www.traceable.ai/blog-post/traceable-ai-can-help-detect-and-protect-against-the-log4j-rce-cve-2021-44228-zero-day-exploit
  307. Tidelift advisory -- Log4Shell critical vulnerability - what you need to know and do: https://blog.tidelift.com/tidelift-advisory-log4shell-critical-vulnerability-what-you-need-to-know-and-do
  308. Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228): https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-execution-vulnerability-cve-2021-44228/td-p/434261/page/2
  309. AEM FORMS JEE -- Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228): https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-forms/aem-forms-jee-apache-log4j-remote-code-execution-vulnerability/m-p/434348#M8119
  310. Cybersecurity in 2015 -- What to expect: http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/
  311. SEC proposes four-day rule for public companies to report cyberattacks: https://www.theregister.com/2022/03/09/sec_cyberattack_disclosure/
  312. SEC proposes mandatory breach reporting for publicly traded companies: https://fcw.com/security/2022/03/sec-proposes-mandatory-breach-reporting-publicly-traded-companies/362975/
  313. Demystify the Cybersecurity Risk Management Process: https://dzone.com/articles/demystify-the-cybersecurity-risk-management-proces
  314. Data Breach Notice Research by the Identity Theft Resource Center Shows Consumers Don’t Act After a Data Theft: https://www.idtheftcenter.org/post/data-breach-notice-research-by-the-identity-theft-resource-center-shows-consumers-dont-act-after-a-data-theft/
  315. Data breaches in the US are over 90% cyberattack-related: https://techhq.com/2022/04/data-breaches-in-the-us-rose-14-in-the-first-quarter-of-this-year/
  316. Capital One data breach -- here’s what Canadians need to know: https://globalnews.ca/news/5702026/capital-one-data-breach-what-to-know/
  317. The British Airways Hack -- JavaScript Weakness Pin-pointed Through Time-lining: https://medium.com/asecuritysite-when-bob-met-alice/the-british-airways-hack-javascript-weakness-pin-pointed-through-time-lining-dd0c2dbc7b50
  318. Incident Report Guessing -- Chatbots, the BA Hack and Ticketmaster: https://medium.com/asecuritysite-when-bob-met-alice/incident-report-guessing-chatbots-the-ba-hack-and-ticketmaster-f0aeff7a3072
  319. Cisco Data Center Network Manager Authentication Bypass Vulnerability: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-bypass-dyEejUMs
  320. Cisco 'Knowingly' Sold Hackable Video Surveillance System to U.S. Government (fined $8.6million): https://thehackernews.com/2019/08/cisco-surveillance-technology.html
  321. An Office Phone Flaw Can’t Be Fixed by Cisco Alone: https://www.wired.com/story/office-phone-flaw-cant-be-fixed-by-cisco-alone/
  322. What to know (and do) about the CRA breach and shutdown: https://globalnews.ca/news/7281074/cra-hack-online-services/
  323. Victims of CRA hackers vulnerable to other cyberattacks (experts): https://www.cbc.ca/news/politics/cra-cyber-attack-privacy-1.5689928
  324. CRA cyberattack victims say they notified agency about hack long before breaches confirmed: https://www.ctvnews.ca/canada/cra-cyberattack-victims-say-they-notified-agency-about-hack-long-before-breaches-confirmed-1.5070362
  325. CRA says online services to be restored by Wednesday following hack: https://www.chch.com/cra-says-online-services-to-be-restored-by-wednesday-following-hack/
  326. Better Business Bureau shares cyber tips after CRA hack: https://globalnews.ca/video/7293561/better-business-bureau-shares-cyber-tips-after-cra-hack
  327. Thousands of CRA accounts hacked in cyberattack: https://www.cbc.ca/player/play/1776524355973
  328. Why the US government hack is literally keeping security experts awake at night: https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html
  329. Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?: https://krebsonsecurity.com/2021/04/did-someone-at-the-commerce-dept-find-a-solarwinds-backdoor-in-aug-2020/
  330. SolarWinds CEO reveals much earlier hack timeline, regrets company blaming intern: https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/
  331. Facebook confirms that a sample of the 533M data is related to a ‘contact importers vulnerability’ which was fixed in Aug 2019: https://twitter.com/ashk4n/status/1379190936970829825
  332. Scraped personal data of 1.3 million Clubhouse users has reportedly been posted online: https://www.businessinsider.com/clubhouse-data-leak-1-million-users-2021-4
  333. Clubhouse CEO says user data was not leaked, contrary to reports: https://www.theverge.com/2021/4/11/22378302/personal-information-1-million-clubhouse-users-leaked-privacy-security
  334. Exclusive interview - The Iranian grad student who scraped Clubhouse explains why he did it, and that it's not "hacking": https://www.businessofbusiness.com/articles/the-data-scientist-who-scraped-clubhouse-explains-his-motives-and-why-it-was-not-hacking/
  335. FBI Works With 'Have I Been Pwned' to Notify Emotet Victims: https://beta.darkreading.com/threat-intelligence/fbi-works-with-have-i-been-pwned-to-notify-emotet-victims
  336. Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU: https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/
  337. 70TB of Parler users’ messages, videos, and posts leaked by security researchers: https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/
  338. The Growing Victim List -- Data Breaches Rose In Q1, Hitting More People: https://www.mediapost.com/publications/article/362163/the-growing-victim-list-data-breaches-rose-in-q1.html
  339. US nuclear weapon bunker security secrets spill from online flashcards since 2013: https://www.theregister.com/2021/05/28/flashcards_military_nuclear/
  340. Smart API Security for Your Smart Car: https://curity.io/blog/smart-api-security-for-your-smart-car/
  341. Hackers Breach EA, Claim to Have Stolen Company Source Code: https://www.pcmag.com/news/hackers-breach-ea-claim-to-have-stolen-company-source-code
  342. Tracking Amazon delivery staff through their own "Package Tracking API": https://www.pentestpartners.com/security-blog/tracking-amazon-delivery-staff/
  343. How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It: https://thezerohack.com/apple-vulnerability-bug-bounty
  344. Clearview Data Breach Prompts Renewed Calls To Curb Facial Recognition: https://www.mediapost.com/publications/article/347682/clearview-data-breach-prompts-renewed-calls-to-cur.html
  345. Tour de Peloton - Exposed user data: https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-data/
  346. Apple’s Insecure iPhone Lets NSO Hack Journalists (again): https://securityboulevard.com/2021/07/apples-insecure-iphone-lets-nso-hack-journalists-again/
  347. 38 Million Users’ Data Exposed by Microsoft Power Apps: https://www.howtogeek.com/750401/38-million-users-data-exposed-by-microsoft-power-apps/
  348. 38M Records Were Exposed Online—Including Contact-Tracing Info: https://www.wired.com/story/microsoft-power-apps-data-exposed/
  349. UN Computer Networks Breached by Hackers Earlier This Year: https://www.bloomberg.com/news/articles/2021-09-09/united-nations-computers-breached-by-hackers-earlier-this-year
  350. Twitch hack - data breach exposes sensitive information: https://www.theguardian.com/technology/2021/oct/06/twitch-hack-data-breach-gaming-platform
  351. Massive Twitch hack - Source code and payment reports leaked: https://www.bleepingcomputer.com/news/security/massive-twitch-hack-source-code-and-payment-reports-leaked/
  352. Security experts aghast at the scale of Twitch hack - 'This is as bad as it could possibly be': https://www.pcgamer.com/security-experts-aghast-at-the-scale-of-twitch-hack-this-is-as-bad-as-it-could-possibly-be/
  353. Protect the source -- EA and others hacked: https://sdtimes.com/security/protect-the-source/?activecampaign_id=123002
  354. Critical flaws found in interoperability backbone - FHIR APIs vulnerable to abuse: https://www.scmagazine.com/analysis/application-security/critical-flaws-found-in-interoperability-backbone-fhir-apis-vulnerable-to-abuse
  355. Worst breaches of 2021 so far: https://www.identityforce.com/blog/2021-data-breaches
  356. More than half of medical devices found to have critical vulnerabilities: https://www.zdnet.com/article/more-than-half-of-medical-devices-have-critical-vulnerabilities/ (new report reveals what kind of medical devices are at most risk of security threats)
  357. IV pumps riskiest healthcare IoT, while 50% of medical devices hold critical flaws: https://www.scmagazine.com/analysis/asset-management/iv-pumps-riskiest-healthcare-iot-while-50-of-medical-devices-hold-critical-flaws
  358. Hackers Hack Samsung, Leak 190GB of Company Secrets: https://www.howtogeek.com/790255/hackers-hack-samsung-leak-190gb-of-company-secrets/
  359. Christian Donation site "GiveSendGo", used by Freedom Convoy, suffers 3rd data leak in two weeks: https://www.dailydot.com/debug/givesendgo-trucker-convoy-hack-leak/
  360. Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments: https://www.mandiant.com/resources/apt41-us-state-governments
  361. FBI warns of ransomware gangs targeting food, agriculture orgs: https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-gangs-targeting-food-agriculture-orgs/
  362. FBI warns of ransomware attacks targeting US agriculture sector: https://www.bleepingcomputer.com/news/security/fbi-warns-of-ransomware-attacks-targeting-us-agriculture-sector/
  363. Cow-counting app abused by China "to spy on US states' governments": https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/
  364. Ransomware plows through farm machinery giant AGCO:https://www.theregister.com/2022/05/09/farm_machinery_giant_agco_hit/
  365. Protecting Android users from 0-Day attacks: https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/
  366. Researchers devise iPhone malware that runs even when device is turned off: https://arstechnica.com/information-technology/2022/05/researchers-devise-iphone-malware-that-runs-even-when-device-is-turned-off/
  367. Google - "Predator" spyware infected Android devices using zero-days (several governments potentially involved): https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/
  368. Password Authentication -- How to Correctly Do It: https://dzone.com/articles/password-authentication-how-to-do-it-correctly
  369. How to Hash a BLOB: http://sqlblog.com/blogs/michael_coles/archive/2009/04/16/13253.aspx
  370. Database Modeling Tip - How to Store Passwords in a Database with HASH + SALT: http://onewebsql.com/blog/how-to-store-passwords
  371. A Future-Adaptable Password Scheme (WHITEPAPER): https://www.usenix.org/legacy/events/usenix99/provos.html
  372. Cracking encrypted CreditCard numbers (exposed by API): https://infosecwriteups.com/cracking-encrypted-credit-card-numbers-exposed-by-api-977c6f7b996f
  373. Credit Card Stealer Investigation Uncovers Malware Ring: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html
  374. Dependency Risk and Funding: https://lucumr.pocoo.org/2022/1/10/dependency-risk-and-funding/
  375. How to Prevent File Upload Vulnerabilities: https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
  376. Protection from Unrestricted File Upload Vulnerability: https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability
  377. Why File Upload Forms are a Major Security Threat: https://www.acunetix.com/websitesecurity/upload-forms-threat/
  378. What is DevSecOps?: http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
  379. Necurs.P2P – A New Hybrid Peer-to-Peer Botnet: https://www.malwaretech.com/2016/02/necursp2p-hybrid-peer-to-peer-necurs.html
  380. Marcus Hutchins' analysis on Kelihos malware: https://www.malwaretech.com/2015/12/kelihos-analysis-part-1.html
  381. Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet: https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/
  382. The Leaked NSA Spy Tool That Hacked the World: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/
  383. DHS notice on UPnP old news, as FBI warned about it in 2001, CIA exploited in Middle East spying/cyberwarfare: https://www.grc.com/unpnp/unpnp.htm
  384. Equifax Inc. (EFX)Announces Significant Data Breach; -13.4% in After-Hours: https://baird.bluematrix.com/docs/pdf/dbf801ef-f20e-4d6f-91c1-88e55503ecb0.pdf
  385. Apache Struts Statement on Equifax Security Breach: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
  386. Apache Struts Flaw Reportedly Exploited in Equifax Hack: http://www.securityweek.com/apache-struts-flaw-reportedly-exploited-equifax-hack
  387. Struts Flaw behind Equifax Breach Disclosed and Patched in March: https://www.infoq.com/news/2017/09/struts (patched in March in Struts, hacked in May in Equifax app)
  388. Equifax says data from 143 million people exposed in hack: http://www.ctvnews.ca/business/equifax-says-data-from-143-million-people-exposed-in-hack-1.3579821
  389. Equifax website hack exposes data for ~143 million US consumers: https://arstechnica.com/information-technology/2017/09/equifax-website-hack-exposes-data-for-143-million-us-consumers/
  390. Three Equifax Managers Sold Stock Before Cyber Hack Revealed: https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack
  391. Equifax execs sold stock before hack was disclosed: http://money.cnn.com/2017/09/08/investing/equifax-stock-insider-sales-hack-data-breach/index.html
  392. Equifax credit file monitoring -- Cybersecurity Incident & Important Consumer Information: https://www.equifaxsecurity2017.com/
  393. After Massive Data Breach, Equifax Directed Customers To Fake Site: http://www.npr.org/sections/thetwo-way/2017/09/21/552681357/after-massive-data-breach-equifax-directed-customers-to-fake-site
  394. Equifax will pay up to $700 million to settle data breach lawsuits: https://www.cbsnews.com/news/equifax-data-breach-settlement-equifax-will-pay-700-million-to-settle-data-breach-lawsuits/
  395. FTC Finalizes Zoom Settlement, Despite Acting Chair's Dissent: https://www.mediapost.com/publications/article/360138/ftc-finalizes-zoom-settlement-despite-acting-chai.html
  396. Microsoft -- Beware Phishing Attacks with Open Redirect Links: https://www.govinfosecurity.com/microsoft-beware-phishing-attacks-open-redirect-links-a-17404: https://thehackernews.com/2021/08/microsoft-warns-of-widespread-phishing.html
  397. Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally: https://www.theregister.com/2021/08/27/microsoft_phishing_defender/
  398. Security audit raises severe warnings on Chinese smartphone models: https://arstechnica.com/information-technology/2021/09/security-audit-raises-severe-warnings-on-chinese-smartphone-models/
  399. NSA, Allies Issue Cybersecurity Advisory on Weaknesses that Allow Initial Access: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3033563/nsa-allies-issue-cybersecurity-advisory-on-weaknesses-that-allow-initial-access/

See Also

WebApp | Web Service | Penetration Testing | Surveillance | Identification | Authentication | Authorization | Encryption | HTTPS | SSL | TLS | XSS | PGP | VPN | P2P | Network Firewall | TechDebt | DarkWeb | Quantum Computing