#security (2019-03)

Archive: https://archive.sweetops.com/security/

2019-03-06

Erik Weber avatar
Erik Weber

Are anyone familiar with any webserver security check tools? I have a couple of servers that does shared hosting (don’t get me started on why…) and I’d like to assess wether or not they are secure enough (as far as shared hosting can get secure)

Erik Weber avatar
Erik Weber

That is, I’m interested in the actual server configuration, not individual web applications

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Erik Weber is this in a containerized env?

Erik Weber avatar
Erik Weber

Unfortunately, no

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrm… yea, don’t have any suggestions for that.

Erik Weber avatar
Erik Weber

Thanks anyway. Do you know of any container based shared hosting solutions? I’ve taken over some legacy crappy shared webservers I’d like to get rid of

2019-03-07

Maciek Strömich avatar
Maciek Strömich

I only heard about https://github.com/fffaraz/dockerweb some time ago but never used it

fffaraz/dockerweb

A docker-powered bash script for shared web hosting management. The ultimate Docker LAMP/LEMP Stack. - fffaraz/dockerweb

Richard Pearce avatar
Richard Pearce
New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wildattachment image

Update your Google Chrome browser immediately to patch a new high-severity zero-day RCE vulnerability (CVE-2019-5786) that hackers are actively exploiting in the wild

1

2019-03-09

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Iranian hackers ransack Citrix, make off with 6TB+ of emails, biz docs, internal secretsattachment image

Remote-desktop giant ‘among more than 200 govt agencies, oil, gas, tech corps’ hit by cyber-gang

2019-03-12

Maciek Strömich avatar
Maciek Strömich

does anyone use something like anchore to scan docker images for vulnerabilities?

Maciek Strömich avatar
Maciek Strömich

or claire maybe?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

#codefresh has many examples for using claire

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(not the channel, but the docs)

2019-03-13

chrism avatar

Aqua Security has a good microscanner

pecigonzalo avatar
pecigonzalo

anyone running zero-trust even for their mail/collaboration/etc and integreated with MDM/EMM?

davidvasandani avatar
davidvasandani

There are three new Rails security issues that were just released. This can lead to remote code execution, file disclosure and denial of service.

https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

1

2019-03-18

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Desperate to get through to execs, some cybersecurity vendors are resorting to lies and blackmailattachment image

Aggressive sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats.

2019-03-26

btai avatar

how do you guys send sensitive data to each other? i use keybase but was wondering if there are better alternatives

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Keybase

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But 1Password just added the ability to share to individuals

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, chamber is ideal for development secrets

btai avatar

i use 1pw for personal

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use 1Password for teams

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s great

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Plus integrates with Duo for MFA/geofencing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

And supports slack notifications so we have an easily accessible audit log

Tim Malone avatar
Tim Malone

@Erik Osterman (Cloud Posse) Geofencing for passwords… is this some fancy voodoo? (like, i can only log in when i’m in the office?)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea Duo works with push, so if your phone is not in a specific geography (not sure how specific) it will reject the request. E.g. coming from North Korea ;)

Tim Malone avatar
Tim Malone

oo fancy!

btai avatar

@Erik Osterman (Cloud Posse) I love 1PW, my company (like most) uses lastpass cause it’s cheaper :P

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea it seems like party lines are drawn between LastPass and 1p. I never got used to the LastPass UI. Briefly used Dashlane for 1 year and so happy to be back to 1Password.

2019-03-27

Igor avatar

I think LastPass offers better enterprise support. They have an extensive list of policies.

2019-03-28

chrism avatar

Ha yeah; worked with him once. I’m suprised he knew how to delete anything

chrism avatar

that reports wrong of course

chrism avatar

he’s serving 12 months

chrism avatar

and 1 year on license

chrism avatar

” the company lost “big contracts with transport companies” to the tune of £500,000 “ If you’re in aws sharing creds and no 2fa you don’t really get sympathy

chrism avatar

“Could Voova have avoided this crisis? Yes, and the solution would have been simple: a 2FA (two-factor authentication) system. By implementing this system, when Needham logged into the system a text message would’ve been sent to Speedy’s smartphone also asking for permission to login” When you write an article but don’t bother to look at the auth options

chrism avatar

… journalists, pfft

1
    keyboard_arrow_up