Stof

62 posts published

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be?Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug

Zero-trust doesn't exist but that's OK

Where zero-trust might existScenarios that have no dataScenarios with data that are never connected to powerWhy? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity?Digital identity is the only identity. Digital identities can

You don't know OWASP

About a year ago I was just getting involved with the CSA Working Group for CCM version 4 when I came across the OWASP CSA Project and went on a little adventure to learn more about OWASP. Many readers probably think they're aware of OWASP, as I once thought I

Python pip requirements.txt lock file

OverviewOpinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application. However,

Private AWS S3 - How hard could that be?

Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.

You're probably a Blue Team, not a Red Team

For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_

Everything in AWS is an API, is it secure?

EDIT: 2020-08-01 SHA-1 Windows content to be retired in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is so effective they are going to block all TLS

TLS secures my data, right?

You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of ‌‌Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) Data within the session

PCI DSS - Are AWS KMS and CloudHSM suitable?

PCI DSS - Are AWS KMS and CloudHSM suitable?

A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership

Australia - Where Compliance and Regulation Obligations are Unlawful

Australia - Where Compliance and Regulation Obligations are Unlawful

The Australian Government's controversial encryption bill passed the Senate last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service

Exploiting Orphaned Webserver Files

Exploiting Orphaned Webserver Files

Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now

Preparing for Independent Penetration Testing

Preparing for Independent Penetration Testing

White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for

Information Security strategy tips for startups

Information Security strategy tips for startups

Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.

Vendor attestations prove nothing about your systems

Vendor attestations prove nothing about your systems

Over the years I've been tasked to implement controls as a developer or self-assess and design controls that meet the requirements of contractual, compliance, regulatory, and legislative obligations. One of the continuing misconceptions I've seen is most business believe (and often publicly claim) a vendors security and compliance attestations will

ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond

ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond

The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats. My post will help you align these best practices to your solution as a baseline making it much

Responding to a troll GDPR Subject Access Request - Australian/NZ Version

Responding to a troll GDPR Subject Access Request - Australian/NZ Version

The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.

On Tether Cryptocurrency and Ransomware

On Tether Cryptocurrency and Ransomware

Tether has become the defacto reserve currency as the hundreds of different cryptocurrencies are actually created and exchanged on it. I'll touch on Tether and go into Ransomware briefly, as these are the reason for the post. The I'll deep dive on Cryptocurrency because there is actually three totally separate

Machine Learning model training over time

Machine Learning

Machine Learning model training over time

Do you train new models using new data, or do you re-train existing models with new samples? Retraining a model For the past few years I've been capturing network traffic and building various machine learning models around the data, not always security related but always design for a long lasting

Software Engineers guide to AWS Solution Architecture

Software Engineers guide to AWS Solution Architecture

So you're a developer or operations engineer (or both, DevOps) and work in a small team that either has no access to a Solution Architect. or you do but expected to re-architect solutions for security and reliabilty Get to know the AWS Well-Architected Framework and the new Operational Excellence Pillar

How-to convince colleagues to accept new processes

How-to convince colleagues to accept new processes

Let me share with you a technique taught to me that I've used and refined, it's always had an impact that can help convince even the most remiss, ignorant, or doubtful opposition to a well argued and rationalised new process. More than 10yrs ago when I was in my 20s

How to fix sudo must be owned by uid 0 and have the setuid bit set in WSL

How to fix sudo must be owned by uid 0 and have the setuid bit set in WSL

So I recently took up the challenge of turning my PC with only Ubuntu KDE installed into a dual-boot Windows 10 PC. I've been on Ubuntu since 2008 and after a decade free of Windows at home I decided to take up the challenge of using WSL (Windows subsystem for

GDPR compliance beyond Europe

GDPR compliance beyond Europe

GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is the right to be forgotten But there is much more you need to know and the effects are far reaching beyond Europe. What Assessments are needed? Data protection impact assessments (DPIAs) or

Misunderstood Business Continuity risk domain

Misunderstood Business Continuity risk domain

A look at Business Continuity Management (BCM); The process that is responsible for Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) using Business Impact Analysis (BIA) enabling Operational Resilience through HA and DR principles

Privacy Controls for your Risk Assessment

Privacy Controls for your Risk Assessment

Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.

Cryptocurrency cannot be trusted (yet)

Cryptocurrency cannot be trusted (yet)

So I posted a response to an article on Medium titled Making Money Trustworthy - Bitcoin Explained which wasn't a particularly outrageous article and had a lot of good content in it, but it was lacking an understanding of what trust even is and it didn't particularly try too hard