Security daily (24-08-2020)

How to import PFX-formatted certificates into AWS Certificate Manager using OpenSSL

In this blog post, we show you how to import PFX-formatted certificates into AWS Certificate Manager (ACM) using OpenSSL tools. Secure Sockets Layer and Transport Layer Security (SSL/TLS) certificates are small data files that digitally bind a cryptographic key pair to an organization’s details. The key pair is used to secure network communications and establish […] (AWS Security Blog)

043| Paths to Infosec: Military Vs. Psychology

There is no one set path to a cybersecurity career, and today's guests have arrived in the field in very different ways. Logan Whitmire comes from a military background and Derek Stoeckenius has a degree in psychology. In this episode, they share what sparked their interest in infosec, their journey to their current roles, and how their unique backgrounds influenced the way they approach their work. Also: Tips on getting into the field, and what they might have done differently if they could go back. Links:  Episode 43 transcript (Cyber Security Sauna)

US military researchers may have found a more productive vulnerability discovery process

A study from the U.S. government shows there is proof of a way to be more efficient when looking for flaws in software. Security researchers of all expertise levels do better with an improved, automated analysis that better allocates human resources during investigations, U.S. military researchers from the National Security Agency, Cyber Command, Navy, Air Force, and Army posit in new research published this month. This differs from a common approach taken when researchers are more naturally inclined to zero in on a given piece of software to try to find flaws. “There is a cognitive bias in the hacker community to select a piece of software and invest significant human resources into finding bugs in that software without any prior indication of success,” they write in the paper. This status quo, which the researchers call the “depth-first” approach, places more of a burden on experienced researchers while beginners get […] The post US military researchers may have found a more productive vulnerability discovery process appeared first on CyberScoop. (CyberScoop)

John Felker, former head of DHS’s cyberthreat center, to retire from the department in September

John Felker, who helped expand the Department of Homeland Security’s cyberthreat-sharing efforts with the private sector, announced Monday that he would retire on Sept. 25 after spending five years at DHS and more than three decades in the federal government. Felker was best known at DHS for heading the National Cybersecurity and Communications Integration Center (NCCIC), the department’s 24/7 watch floor and information-sharing hub for hacking threats, from 2015 to 2019. For the last year, Felker has led a division at the department’s Cybersecurity and Infrastructure Security Agency (CISA) that oversees the agency’s field offices across the country. The NCCIC, which includes a vast room of monitoring screens at a DHS building in Arlington, Virginia, is one of the better known federal initiatives to warn companies of malicious cyber activity. Following the formal creation of CISA in 2018, the NCCIC was rebranded and its functions split between two divisions. Felker’s Integrated Operations Division […] The post John Felker, former head of DHS’s cyberthreat center, to retire from the department in September appeared first on CyberScoop. (CyberScoop)

Monday review – catch up on our latest articles and videos

Our recent articles and videos, all in one place. (Naked Security)

How to Conduct a Pentest Like a Pro in 6 Phases

Penetration testing, or pentesting, is the process of probing a network or system by simulating an attack, which is used to find vulnerabilities that could be exploited by a malicious actor. The main goal of a pentest is to identify security holes and weaknesses so that the organization being tested can fix any potential issues. In a professional penetration test, there are six phases you should know.

Pentesting Lingo

Like many industries, and especially within IT, certain terms can cause initial confusion for people not familiar with them. Penetration testing can get pretty technical, but... more (Null Byte « WonderHowTo)

Google Researcher Reported 3 Flaws in Apache Web Server Software

If your web-server runs on Apache, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.

Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the execution of arbitrary code and, in specific scenarios, even could allow attackers to cause a crash (The Hacker News)

Amazon Alexa Bugs Could've Let Hackers Install Malicious Skills Remotely

Attention! If you use Amazon's voice assistant Alexa in you smart speakers, just opening an innocent-looking web-link could let attackers install hacking skills on it and spy on your activities remotely.

Check Point cybersecurity researchers—Dikla Barda, Roman Zaikin and Yaara Shriki—today disclosed severe security vulnerabilities in Amazon's Alexa virtual assistant that could render it (The Hacker News)

Google Fixes High-Severity Chrome Browser Code Execution Bug

The high-severity flaw, which was patched in the latest version of Google's Chrome browser, could allow code execution. (Threatpost)

Iran-Linked ‘Newbie’ Hackers Spread Dharma Ransomware Via RDP Ports

The recent Dharma campaign by Iran-linked script kiddies shows that the ransomware is being spread not just by sophisticated, state-sponsored actors anymore. (Threatpost)

APIs Are the Next Frontier in Cybercrime

APIs make your systems easier to run -- and make it easier for hackers, too. (Threatpost)


/security-daily/ 25-08-2020 23:44:22