This Open-Source Security Key Helps You Ditch Software Authenticators

GizModo VR

Accidentally deleting your Google Authenticator app is a nightmare. The app, which generates one-time codes for many websites, is usually your key to many major email services, including Gmail, domain name services like Namecheap, and even banking services.

GitHub to enforce 2FA for all code contributors by the end of 2023

Venture Beast

GitHub has revealed plans to make two-factor authentication (2FA) mandatory for all GitHub.com users by the end of 2023. Read More.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Security for Big Data Designs: Examining best practices with security architect Eddie Garcia

CTOvision

The breakfast event focused on security for big data designs and featured the highly regarded security architect Eddie Garcia. Eddie Garcia is chief security architect at Cloudera , a leader in enterprise analytic data management. Eddie helps Cloudera enterprise customers reduce security and compliance risks associated with sensitive data sets stored and accessed in Apache Hadoop environments. This creates the most secure Hadoop distribution on the market.

OpenHaystack is a new open-source tool that lets you create DIY AirTags on Apple’s Find My network

The Verge

Apple has promised to open up its Find My app to third-party accessory makers. There don’t appear to be serious security implications for the Find My network itself, either (though the team has submitted other bug reports to Apple ). Image: OpenHaystack.

SoloKeys Solo V2 is an easy and quick way to improve your personal cybersecurity

Tech Republic Security

The security key is built on open source hardware and firmware, making it a universal factor authentication device instead of a two-factor authentication device

Everything You Know About eAuthentication is wrong!

CTOvision

On Labor Day, September 5 th 2016, NIST published their Digital Authentication Guideline: Public Preview. There will be successive open comment periods. The base document SP 800-63-3 is the third iteration of this special publication, and has been renamed to: Digital Authentication Guideline. SP 800-63B – Authentication & Lifecycle Management. For over a decade we have used LOA 1, LOA 2, LOA 3 and LOA 4, to classify and refer to the type of authentication we used.

HackerOne CEO Mårten Mickos: COVID-19 is ‘the planet’s warning’ to accelerate digital civilization

GeekWire

A native of Finland, he’s the former CEO of MySQL, the open-source database company that was sold to Sun Microsystems in 2008. Security had been this very dogmatic, closed, secret group of people, building advanced technology that makes life more and more difficult.

How to secure your phone before attending a protest

The Verge

Circumstances and situations vary and none of these methods are 100 percent foolproof, but they do offer increased security for you and your info. Use a password rather than biometrics to secure your data. Now’s a good time to secure your device and any information on it.

The Roles of SAST and DAST and Fuzzing in Application Security

ForAllSecure

With more applications being built every day, the need for robust Application Security Testing (AST) has never been greater. In this blog post, we'll cover the roles DAST and SAST play in Application Security Testing and discuss how fuzzing fits into it all.

Teen Finds Vulnerability That Can 'Annoy the Sh*t' Out of Tesla Owners

SecureWorld News

Tesla is one car maker that is getting closer and closer to creating a fully electric, self-driving car, but it has hit some speed bumps along the way, specifically with security issues. Security vulnerability in TeslaMate. I reported this issue to the Tesla Security Team immediately.

Nmap security scanner gets new scripts, performance boosts

Network World

The Nmap Project just released the Holiday Edition of its open source cross-platform security scanner and network mapper, with several important improvements and bug fixes. New features in Nmap 7.40 include Npcap 0.78r5, for adding driver signing updates to work with Windows 10 Anniversary Update; faster brute-force authentication cracking; and new scripts for Nmap Script Engine, the project’s maintainer Fyodor wrote on the Nmap mailing list.

KITABOO facilitates key LMS integrations with advanced technological features

Kitaboo on EdTech

Content security: Content typically is not secure within an LMS. Security, without the hassle of complexity: Although an LMS can easily deliver learning at a large scale, it lacks a range of multiple functionalities. Using DRM to Securely Distribute Textbooks Online.

Seven Trends and Predictions for 2017

CTOvision

Their Mesos framework is built on open source tools: Apache Spark, Apache Mesos, R, and Docker. AirBnB has released the platform to the entire travel industry as open source. Trend #6—Security. Despite continued advances in security like AES encryption and multi-factor authentication, we don’t seem to be winning the war on cybercrime. Nathaniel Crocker. Seven Trends and Predictions for 2017. In billiards, you must call your shot ahead of time.

Trends 191

There’s a better way to protect yourself from hackers and identity thieves

Vox

Authenticator apps like Google Authenticator might seem intimidating, but they’re easy to use and safer than texts. If you’re using texts for two-factor authentication, it’s time to change to an app. When people ask me for security tips, I give them the basics.

Threat: New bug puts 400K servers at risk

IT Manager Daily

Threat: Versions of the open-source Exim message transfer agent are vulnerable. Exploited flaw: The buffer overflow in the handling of base64 authentication can be used to send a boobytrapped mail message that then allows bad actors to run arbitrary code remotely. Fixes/Workarounds: Exim released a security update (version 4.90.1), but many haven’t installed the patch. An estimated 400,000 servers are still at risk, so update your version of Exim to stay secure.

MicroK8s: Up and Running in Azure

Linux Academy

By now you’ve heard the stories that Microsoft loves Linux and fully embraces the open-source world. Microsoft, under Satya Nadella, has taken a new stance on open-source , which to some is a complete flip-flop from the Microsoft of the past.

Linux 121

Crypto-currencies and their promise for enterprise technology professionals

CTOvision

As advanced applications are developed that leverage the capabilities that make Bitcoin possible, enterprise technologists will be able to tap into new capabilities for security and functionality. It was invented by Satoshi Nakamoto, who published the invention in 2008 and released it as open source software in 2009. Users of bitcoin are provided with enhanced security and control. Fortunately, with bitcoin, you can learn sound security practices to protect the money.

Technology Short Take 155

Scott Lowe

Along those lines, one of their latest articles discusses how to achieve identity-based mutual authentication leveraging eBPF. Researchers have uncovered a potential security flaw in Apple Silicon CPUs; more details in this 9to5Mac article. I’m not sure how I feel about security researchers calling this flaw “not that bad.” Security. Via Teri Radichel , I saw this article from Google Project Zero about zero-click security vulnerabilities in Zoom.

Free Password Manager

Galido

Keeping track of passwords and making them secure is startlingly simple with Dashlane’s free password manager. Automatically import your passwords from Chrome or any other browser into your secure password vault. Outstanding authentication through facial biometrics, including liveness detection. Secure password sharing. KeePass Password Safe is a free, Open Source, lightweight, and easy-to-use password manager for Windows, Linux, Mac OS X, and Android mobile devices.

FBI Warns of ‘More Destructive’ DDoS Attacks

SecureWorld News

In February 2020, UK security researchers discovered a vulnerability in free, open source, automation servers that would allow cybercriminals to amplify a Distributed Denial of Service attack by 100. Featured DDoS Attack Network Security Original Content

Things To Understand To Prevent Data Loss

Galido

Customer data is the lifeblood of any business entity; they are driven towards the increasing obligation of securing it as they possibly can. Cyber risk is now a huge corporate concern, and IT security budgets have risen in connection with it. Cyber Security 101. Who is in Charge of Cyber Security. Hiring of CISO (Chief Information Security Officer) has a large role to play with the planning and enforcement of the data loss prevention program. Security

Why Magento Is Preferred By Ecommerce Industries?

Galido

According to sources by the end of 2020, online retail sales will the figure of 4,058 billion. Right from managing data security to generating traffic, retaining customers, product return, and refund procedures, and the list goes on. Open source. At last, using open source tools also means that the platform guarantees a robust performance and enhanced security for merchants and developers. Security.

Top Ten Ways Not To Sink the Kubernetes Ship

Linux Academy

To ensure ongoing security site reliability engineers must work hand-in-hand with the CISO’s (Chief Information Security Officer) office to implement Kubernetes security. It is important to use security tooling such as OpenSCAP, the open source version of the Security Content Automation Protocol, to harden virtual machine images prior to their deployment in virtual private clouds. Implement Pod Security Policy.

The Generative Self-Sovereign Internet

Phil Windley

Summary: The self-sovereign internet, a secure overlay on the internet, provides the same capacity to produce change by numerous, unaffiliated and uncoordinated actors as the internet itself. TLS (HTTPS) is a secure overlay, but it is incomplete because it's not symmetrical.

DID Messaging: A Batphone for Everyone

Phil Windley

Summary: DID Messaging can provide a secure, authenticated, and verified channel for every relationship you have. The exchange of these so-called "peer DIDs" thus creates a mutually-authenticated relationship between the participants, where each can use the public key associated with the other's DID to authenticate them. He hadn't been at IIW, but I opened my wallet and created an invitation for Tim and sent it to him in a Twitter DM.

Technology Short Take 136

Scott Lowe

The content this time around seems to be a bit more security-focused, but I’ve still managed to include a few links in other areas. Rory McCune points out that Kubernetes is a router , and users should not rely on the fact that pods are not accessible from the outside by default as any form of a security barrier. Security. The popular open source cryptography library known as Bouncy Castle has uncovered a severe authentication bypass vulnerability.

Digital identity startup Evernym sells to Avast, looks to bring trust to a decentralized internet

GeekWire

” The 30-person company has worked to create decentralized identifiers for open-source projects and efforts such as International Air Transport Association’s Travel Pass. Department of Homeland Security. Evernym director of marketing Alex Andrade-Walz said they are very familiar with Auth0, contrasting Evernym’s approach with Auth0’s focus on authentication and log-ins.

Web3 and Digital Embodiment

Phil Windley

Open source software, the internet, and the World Wide Web broke the stranglehold of proprietary software with free software and open protocols, but within a few decades, Google, Amazon, and others had built huge new monopolies founded on big data.

Technology Short Take 141

Scott Lowe

Sonia Cuff provides a set of links for detailed instructions on setting up VPN access from macOS to Microsoft Azure with Azure Active Directory authentication. John Gruber’s post on “Secure Intent” on Apple devices was, for me at least, an informative read. I hadn’t delved that much into Apple’s hardware security efforts around Secure Enclave, mostly due to the fact that I was running older Apple hardware (a fact that has since changed).

Technology Short Take 122

Scott Lowe

Security. Bruce Schneier writes about how some Chinese hackers are bypassing RSA software token authentication (the title is a bit more broad, implying other forms of two-factor authentication are affected, but the article focuses on attacks against the use of RSA software tokens). Cole Atkinson discusses the fact that osxfuse is no longer open source , and the ramifications of this development on open source in general.

Technology Short Take 125

Scott Lowe

Security. Chris Wahl touches on the topic of using GitHub personal tokens to authenticate to HashiCorp Vault. Guido Appenzeller—once my manager at VMware, now at Yubico—shared this article about the Cerberus banking trojan , which is apparently now able to steal two-factor authentication (2FA) tokens from the Google Authenticator application.

Getting Started with Vulnerability Scanning

ForAllSecure

Vulnerability scanning is an important part of security as it can help organizations identify and fix vulnerabilities before they can be exploited by attackers. Vulnerability scanning can also help organizations comply with regulatory requirements for security. Vulnerability scanning is the process of identifying security vulnerabilities in systems or networks. Authenticated Scans.

The Cybersecurity Sprint: Are we safe yet?

Cloud Musings

Although a security update applied by the Office of Management and Budget (OPM) and the Homeland Security Department (DHS) in January ended the bulk of the data extraction, the U.S. Agencies were instructed to immediately patch critical vulnerabilities, review and tightly limit the number of privileged users with access to authorized systems and dramatically accelerate the use of strong authentication, especially for privileged users. UPDATE: NBC News reports U.S.

Cloud 117

Technology Short Take #59

Scott Lowe

Security. VMware open-sourced an identity and access management service called Lightwave ( project web site , GitHub repo ). First, he has a post on setting up a multi-node Lightwave domain ; once you have a Lightwave domain running, his post on enabling SSH to authenticate against Lightwave may be useful. A moderate security bug in OpenSSH (all releases between 5.4 Welcome to Technology Short Take #59, the first Technology Short Take of 2016.

The Sovrin SSI Stack

Phil Windley

Summary: The Sovrin Identity Metasystem is based on a sophisticated stack of protocols, implemented in open-source code, backed and supported by hundreds of organizations, large and small, around the world.

Technology Short Take 112

Scott Lowe

Security. Tim Hinrichs discusses securing the Kubernetes API with Open Policy Agent. Pod Security Policies (PSPs) are an important security feature in Kubernetes. This article discusses four open source secrets management tools. Many organizations prefer to use two-factor authentication (2FA) to help protect their systems. Welcome to Technology Short Take #112!

Technology Short Take 114

Scott Lowe

Security. Since we’re on a bit of a security kick this time around, then the recent announcement by HyTrust of HyTrust CloudControl 6.0 This article by Bob Killen provides a good foundation of information on understanding Kubernetes authentication (AuthN) and authorization (AuthZ; implemented via RBAC). These look interesting, but be aware that they are not licensed with an open source license. Welcome to Technology Short Take #114!

Linux 60

Technology Short Take #65

Scott Lowe

In any case, I can see some very useful cases for subnet pools, particularly in conjunction with tenant networks that use “routable” IPs and don’t use source NAT on the logical router(s). Security. Bruce Schneier asks the question that society has yet to answer (and may be afraid to answer): “…do we prioritize security over surveillance, or do we sacrifice security for surveillance?”. Welcome to Technology Short Take #65!

IPv6 60

Elon Musk’s Twitter plans are a huge can of worms

The Verge

I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans.”. Open source” algorithms. Authenticate all humans?

Some Photoshop users can try Adobe’s anti-misinformation system later this year

The Verge

Adobe has released more details on its Content Authenticity Initiative, a system for permanently attaching sources and details to an image. They would want a CAI-enabled camera to provide the initial metadata, a Photoshop record for edits, and certificates identifying the source.

Adobe 84

The Hacker Mind Podcast: Fuzzing Message Brokers

ForAllSecure

As I produce this episode, there's a dangerous new vulnerability known informally as Log4Shell, it’s a flaw in an open source Java logging library developed by the Apache Foundation and, in the hands of a malicious actor, could allow for remote code injection. Open to open SSL.

The Hacker Mind Podcast: Hunting The Next Heartbleed

ForAllSecure

I mean, it was open source, right? To answer these questions I’ll talk with an expert on developing security testing tools, someone who was, coincidentally, there the moment Heartbleed was discovered. Kaksonen: I have been looking at the space of security tools.

Tools 52

The Hacker Mind Podcast: Hunting The Next Heartbleed

ForAllSecure

I mean, it was open source, right? To answer these questions I’ll talk with an expert on developing security testing tools, someone who was, coincidentally, there the moment Heartbleed was discovered. Kaksonen: I have been looking at the space of security tools.

Tools 52