Malicious JavaScript in image metadata used to steal data; then, images are used again to exfiltrate data:

blog.malwarebytes.com/threat-a

– Malware uses Exif metadata to inject JavaScript that steals data.
– Afterward, the data is exfiltrated as an image via GET/POST to another server.
– As a server admin, frequently update the server software, and monitor file integrity + network traffic. Moreover, set a strict Content Security Policy.

#malware #image #metadata #exif #infosec #security

OWASP Chapters All Day (June 2020):
In case you missed it, there is a collection of recent OWASP talks. The topics include security-relevant HTTP response headers, lessons learned for incident response teams (CSIRT/PSIRT), and hardening code/systems.

owasp.org/www-community/pages/

#owasp #infosec #talks #security #cybersecurity

This is a great example of why open source is the only thing that's really worth investing your time into long term.

"Because Synthing is free and doesn’t depend on server-side storage, they don’t need to put weird or unnatural restrictions on you."

tonsky.me/blog/syncthing/

"UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage."

github.com/cloudflare/utahfs

🤔

The upcoming "Feature Policy" is now called "Permissions Policy":

w3c.github.io/webappsec-featur

We already updated the relevant part of our Web server security series: infosec-handbook.eu/blog/wss3-

Keep in mind that the Permissions Policy isn't supported by most web browsers, so you don't need to set it at the moment. Clients ignore it.

#FeaturePolicy #PermissionsPolicy #webserver #security #infosec #cybersecurity

Show more
Social feed

This is a personal and private instance.