"Estonian Electronic Identity Card: Security Flaws in Key Management"
– Afterward, the data is exfiltrated as an image via GET/POST to another server.
– As a server admin, frequently update the server software, and monitor file integrity + network traffic. Moreover, set a strict Content Security Policy.
"Fixers Know What ‘Repairable’ Means—Now There’s a Standard for It"
"Written communication is remote work super power"
"Exploiting Bitdefender Antivirus: RCE from any website"
"Conducting a Cloud Assessment in AWS"
OWASP Chapters All Day (June 2020):
In case you missed it, there is a collection of recent OWASP talks. The topics include security-relevant HTTP response headers, lessons learned for incident response teams (CSIRT/PSIRT), and hardening code/systems.
This is a great example of why open source is the only thing that's really worth investing your time into long term.
"Because Synthing is free and doesn’t depend on server-side storage, they don’t need to put weird or unnatural restrictions on you."
"UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage."
"AWS Security Maturity Roadmap"
"Understanding Web Security Checks in Firefox"
"Two vulnerabilities in Zoom could lead to code execution"
"How did I found SSRF in Facebook — the story of my first bug bounty"
"Sandboxing nginx with systemd"
The upcoming "Feature Policy" is now called "Permissions Policy":
We already updated the relevant part of our Web server security series: https://infosec-handbook.eu/blog/wss3-tls-headers/#ex-headers
Keep in mind that the Permissions Policy isn't supported by most web browsers, so you don't need to set it at the moment. Clients ignore it.
Achieving accessibility through simplicity