#security (2019-03)

Are anyone familiar with any webserver security check tools? I have a couple of servers that does shared hosting (don’t get me started on why…) and I’d like to assess wether or not they are secure enough (as far as shared hosting can get secure)

That is, I’m interested in the actual server configuration, not individual web applications

@Erik Weber is this in a containerized env?

Unfortunately, no

Hrm… yea, don’t have any suggestions for that.

Thanks anyway. Do you know of any container based shared hosting solutions? I’ve taken over some legacy crappy shared webservers I’d like to get rid of

I only heard about https://github.com/fffaraz/dockerweb some time ago but never used it

https://thehackernews.com/2019/03/update-google-chrome-hack.html?m=1

https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/

does anyone use something like anchore to scan docker images for vulnerabilities?

or claire maybe?

#codefresh has many examples for using claire

(not the channel, but the docs)

Aqua Security has a good microscanner

anyone running zero-trust even for their mail/collaboration/etc and integreated with MDM/EMM?

There are three new Rails security issues that were just released. This can lead to remote code execution, file disclosure and denial of service.

https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

https://www.cnbc.com/2019/03/18/heres-how-cybersecurity-vendors-drive-the-hacking-news-cycle.html

how do you guys send sensitive data to each other? i use keybase but was wondering if there are better alternatives

Keybase

But 1Password just added the ability to share to individuals

Also, chamber is ideal for development secrets

i use 1pw for personal

We use 1Password for teams

It’s great

Plus integrates with Duo for MFA/geofencing

And supports slack notifications so we have an easily accessible audit log

@Erik Osterman (Cloud Posse) Geofencing for passwords… is this some fancy voodoo? (like, i can only log in when i’m in the office?)

Yea Duo works with push, so if your phone is not in a specific geography (not sure how specific) it will reject the request. E.g. coming from North Korea ;)

oo fancy!

@Erik Osterman (Cloud Posse) I love 1PW, my company (like most) uses lastpass cause it’s cheaper :P

Yea it seems like party lines are drawn between LastPass and 1p. I never got used to the LastPass UI. Briefly used Dashlane for 1 year and so happy to be back to 1Password.

I think LastPass offers better enterprise support. They have an extensive list of policies.

https://www.inc.com/gene-marks/an-it-guy-gets-fired-promptly-torches-23-amazon-web-servers.html

Ha yeah; worked with him once. I’m suprised he knew how to delete anything

that reports wrong of course

he’s serving 12 months

and 1 year on license

” the company lost “big contracts with transport companies” to the tune of £500,000 “ If you’re in aws sharing creds and no 2fa you don’t really get sympathy

“Could Voova have avoided this crisis? Yes, and the solution would have been simple: a 2FA (two-factor authentication) system. By implementing this system, when Needham logged into the system a text message would’ve been sent to Speedy’s smartphone also asking for permission to login” When you write an article but don’t bother to look at the auth options

… journalists, pfft