A Decade of Have I Been Pwned
Europe agrees on rules to protect smart devices from cyber threats
Platform Tilt - Mozilla
Adversarial Attacks on LLMs
iMessage, explained
Front-end security best practices
Simple sabotage for software
Big Tech’s role in enabling link fraud
EFF Unveils Its New Street Level Surveillance Hub
Hunting Malicious Infrastructure-Headers and Hardcoded/Static Strings
I’m harvesting credit card numbers and passwords from your site. Here’s how. | by David Gilbertson | Medium
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Intro to AI Security Part 1: AI Security 101
For at least two years now I have been complaining about the lack of Artificial Intelligence (AI) Security resources. I complain about many…
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP se…
How to Fortify Your Docker Containers: A Guide to Advanced Security Practices
Introduction DevOps has been rapidly evolving in the software development landscape, and from the cornerstone Docker has emerged. Its ability to package applications into portable, scalable containers has taken deployment strategies to the next level. However, with this power, comes the responsibility of securing the containers. In this blog, we dive deep into advanced techniques and best practices for securing Docker containers, ensuring your deployments are not just efficient but also fortified against a variety of cyber threats.
Cybersecurity: What Every CEO and CFO Should Know | Toptal®
This article outlines cybersecurity challenges such as vendor security and the rise of IoT. Solutions include real-time intelligence and cyber-insurance.
Rego 101: Introduction to Rego | Snyk
Learn how to write your first policy as code rules in Rego. This Rego tutorial for beginners covers the basics of Rego syntax and using OPA.
GitHub - protectai/ai-exploits: A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities
A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities - GitHub - protectai/ai-exploits: A collection of real world AI/ML exploits for responsibly disclosed vulnerabil...
State of Cloud Security | Datadog
We analyzed data from thousands of organizations to understand the latest trends in cloud security posture.
In a first, cryptographic keys protecting SSH connections stolen in new attack
An error as small as a single flipped memory bit is all it takes to expose a private key.
Securing HTML fragments returned by API endpoints
A web application frontend often performs requests to a backend API. Even though this API is only supposed to be used by the frontend, it is usually also accessible with a browser. An attacker can use this to exploit vulnerabilities.
Cryptography Guidelines
Guidance on implementing cryptography as a developer.
Secure Code Review Tips to Defend Against Vulnerable Node.js Code
How do you identify vulnerable code patterns? Can you spot insufficient input validation? Enhance your Node.js development security with this guide to secure code review.
A beginner’s guide to running and managing custom CodeQL queries
Learn how to transform your code with custom CodeQL queries that empower you to surface security vulnerabilities and discover new insights.
The reckoning on cloud container and serverless security
Ephemeral infrastructure's transient nature has afforded it a 'free pass' on forensic examination in the past, but that window is closing.
What the !#@% is a Passkey?
A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
Serverless Security: Protecting Functions in the Cloud
Serverless computing has revolutionized the way applications are built and deployed in the cloud. By abstracting away servers, serverless…
From Akamai to F5 to NTLM... with love.
In this post, I am going to show the readers how I was able to abuse Akamai so I could abuse F5 to steal internal data including authorization and session tokens from their customers.
50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Nautilus researchers evaluated the disclosure process of open-source projects and found flaws that allowed harvesting the vulnerabilities before patched
How the Wikimedia Foundation Balances Security and Open Information in Web Development - OpenJS Foundation
Background The Wikimedia Foundation is the non-profit that hosts Wikipedia and other free knowledge and open data projects. These projects are made possible by a global community who, together with...
Threat Hunting: Detecting Browser Credential Stealing [T1555.003] - FourCore
Adversaries can steal credentials, cookies and other private data from browsers using various techniques. We cover how you can simulate Credential Stealing From Browser s and detect it with your security tools. Sigma Rules Inside.