Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
"Estonian Electronic Identity Card: Security Flaws in Key Management"
https://www.usenix.org/conference/usenixsecurity20/presentation/parsovs
Nice read
Gonçalo Valério
boosted
Malicious JavaScript in image metadata used to steal data; then, images are used again to exfiltrate data:
– Malware uses Exif metadata to inject JavaScript that steals data.
– Afterward, the data is exfiltrated as an image via GET/POST to another server.
– As a server admin, frequently update the server software, and monitor file integrity + network traffic. Moreover, set a strict Content Security Policy.
epidemiology 101 with nice playable simulations (related to covid-19)
"Fixers Know What ‘Repairable’ Means—Now There’s a Standard for It"
https://de.ifixit.com/News/35879/repairability-standard-en45554
👍
"Written communication is remote work super power"
"curl: Partial password leak over DNS on HTTP redirect"
"Exploiting Bitdefender Antivirus: RCE from any website"
https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/
"Conducting a Cloud Assessment in AWS"
Gonçalo Valério
boosted
OWASP Chapters All Day (June 2020):
In case you missed it, there is a collection of recent OWASP talks. The topics include security-relevant HTTP response headers, lessons learned for incident response teams (CSIRT/PSIRT), and hardening code/systems.
https://owasp.org/www-community/pages/social/chapters_all_day/schedule/
Gonçalo Valério
boosted
Gonçalo Valério
boosted
This is a great example of why open source is the only thing that's really worth investing your time into long term.
"Because Synthing is free and doesn’t depend on server-side storage, they don’t need to put weird or unnatural restrictions on you."
"UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage."
https://github.com/cloudflare/utahfs
🤔
"AWS Security Maturity Roadmap"
https://summitroute.com/downloads/aws_security_maturity_roadmap-Summit_Route.pdf
"Understanding Web Security Checks in Firefox"
"Two vulnerabilities in Zoom could lead to code execution"
https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
"How did I found SSRF in Facebook — the story of my first bug bounty"
https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204
interesting read
"Sandboxing nginx with systemd"
https://medium.com/@nickodell/sandboxing-nginx-with-systemd-80441923c555
Gonçalo Valério
boosted
The upcoming "Feature Policy" is now called "Permissions Policy":
https://w3c.github.io/webappsec-feature-policy/
We already updated the relevant part of our Web server security series: https://infosec-handbook.eu/blog/wss3-tls-headers/#ex-headers
Keep in mind that the Permissions Policy isn't supported by most web browsers, so you don't need to set it at the moment. Clients ignore it.
#FeaturePolicy #PermissionsPolicy #webserver #security #infosec #cybersecurity
Gonçalo Valério
boosted
Achieving accessibility through simplicity
https://sourcehut.org/blog/2020-05-27-accessibility-through-simplicity/
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
