Security

5005 readers
1 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
1
 
 

I am looking for active Lemmy accounts about software vulnerabilities, CVEs, etc. It could be specific to GHSA, CSAF, PySEC, GSD, Pypi or whatever.

I will use it in a software vulnerability lookup projects: https://github.com/cve-search/vulnerability-lookup/ in order to create Sightings about vulnerabilities.

(it's fine as well if you can provide me Mastodon accounts. I already follow CVE program)

thank you !

2
1
shopping issue (lemmy.dbzer0.com)
submitted 6 days ago* (last edited 6 days ago) by [email protected] to c/[email protected]
 
 

hi everyone!! i need ur help with a security matter!! pardon me my bad English. It's my first time buying online I wanna buy something from eBay with my bank card but eBay doesn't provide 3d security which is another layer of security I'm afraid that my personal might get leaked if i used it like that and i don't wanna open a PayPal account since I'm only using this once plus PayPal fees and deductions are high for someone like me and the extra custom charges are already taking a lot of my money that i was planning to buy other things!! what to do know???????? google wallet? deactivating e-commerce international payment after I'm done purchasing ??? pls help me and thank you! btw this is why crypto should take over!!! 🥹😓

3
4
5
 
 

here is the talk description, from its page on the schedule for KubeCon + CloudNativeCon + Open Source Summit China 2024 (which Linux Foundation somehow neglected to put in their youtube upload's description):

In Febuary the Linux kernel community took charge of issuing CVEs for any found vulnerability in their codebase. By doing this, they took away the ability for any random company to assign CVEs in order to make their engineering processes run smoother, and instead have set up a structure for everyone to participate equally.

This talk will go into how the Linux CVE team works, how CVEs are assigned, and how you can properly handle the huge number of new CVEs happening in a simple and secure way.

今年二月,Linux内核社区开始负责为其代码库中发现的任何漏洞发布CVE编号。通过这样做,他们剥夺了任何随机公司分配 CVE 的能力,以便使他们的工程流程更顺畅,取而代之的是建立了一个人人平等参与的结构。

本次演讲将介绍 Linux CVE 团队的工作方式,CVE 的分配过程,以及如何以简单且安全的方式妥善处理大量新出现的 CVE。

Here is a PDF of the slides from Greg's git repo for this talk.

6
 
 

We released version 1.5.0 of the Vulnerability Lookup project! 🎉 (https://github.com/cve-search/vulnerability-lookup/)

edit-comments-with-tags meta-field Japanese source

This update brings significant new features, improvements, and fixes.

🆕 Notable Changes

We've integrated the Japan Database of Vulnerability Countermeasure Information (JVN DB), correlating security advisories from multiple sources (including NVD, GitHub, and CSAF, etc.) already available in Vulnerability Lookup.

You can now assign tags to comments directly on the website. These tags are stored in the comment's meta field and utilize the MISP Project taxonomy for vulnerabilities. Explore the taxonomy here.

We've enhanced the API to allow users to filter comments and bundles based on data available in the meta JSON field of the objects. This paves the way for leveraging more taxonomies in the future.

More details in the release notes.

Thank you very much to all the contributors and testers! 🙏

As always, feel free to create an account on the main instance operated by CIRCL.

We eagerly await your contributions! 😊

7
8
 
 

Teacher assaults in schools are a growing concern, impacting both staff safety and the learning environment. These incidents can range from verbal confrontations to physical altercations, making it crucial for schools to have effective safety measures in place. One of the most effective tools to ensure a swift and coordinated response is an emergency response app.

Wihkum, a cutting-edge emergency response app designed specifically for schools, offers a robust solution to this pressing issue. With its features including instant alerts, real-time communication with emergency services, and location tracking, Wihkum helps schools respond promptly to incidents of teacher assault and other emergencies. By integrating Wihkum into your school's safety protocol, you can enhance the security of your staff and create a safer learning environment for students.

Explore how Wihkum can be a vital component in your school's emergency preparedness strategy and contribute to a safer school environment.

9
10
11
12
13
14
 
 

cross-posted from: https://lemmy.ml/post/18049618

Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources (NIST, GitHub, CSAF-Siemens, CSAF-CISCO, CSAF-CERT-Bund, PySec, VARIoT, etc.), independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). Vulnerability Lookup is also a collaborative platform where users can comment on security advisories and create bundles.

A Vulnerability Lookup instance operated by CIRCL is available at https://vulnerability.circl.lu.

15
16
 
 

Check out our open-source, language-agnostic mutation testing tool using LLM agents here: https://github.com/codeintegrity-ai/mutahunter

Mutation testing is a way to verify the effectiveness of your test cases. It involves creating small changes, or “mutants,” in the code and checking if the test cases can catch these changes. Unlike line coverage, which only tells you how much of the code has been executed, mutation testing tells you how well it’s been tested. We all know line coverage is BS.

That’s where Mutahunter comes in. We leverage LLM models to inject context-aware faults into your codebase. As the first AI-based mutation testing tool, Our AI-driven approach provides a full contextual understanding of the entire codebase by using the AST, enabling it to identify and inject mutations that closely resemble real vulnerabilities. This ensures comprehensive and effective testing, significantly enhancing software security and quality. We also make use of LiteLLM, so we support all major self-hosted LLM models

We’ve added examples for JavaScript, Python, and Go (see /examples). It can theoretically work with any programming language that provides a coverage report in Cobertura XML format (more supported soon) and has a language grammar available in TreeSitter.

Here’s a YouTube video with an in-depth explanation: https://www.youtube.com/watch?v=8h4zpeK6LOA

Here’s our blog with more details: https://medium.com/codeintegrity-engineering/transforming-qa-mutahunter-and-the-power-of-llm-enhanced-mutation-testing-18c1ea19add8

Check it out and let us know what you think! We’re excited to get feedback from the community and help developers everywhere improve their code quality.

17
1
submitted 4 months ago* (last edited 4 months ago) by [email protected] to c/[email protected]
 
 

Reposted from: https://lemmings.world/post/10865023

1. Recognize the common signs

• Urgent or emotionally appealing language • Requests to send personal or financial information • Unexpected attachments • Untrusted shortened URLs • Email addresses that do not match the supposed sender • Poor writing/misspellings (less common)

2. Resist and report Report suspicious messages by using the “report spam” feature. If the message is designed to resemble an organization you trust, report the message by alerting the organization using their contact information found on their webpage.

I have found also these phishing reporting pages:

SITE: https://safebrowsing.google.com/safebrowsing/report_phish/

SITE: https://www.ncsc.gov.uk/section/about-this-website/report-scam-website

SITE: https://www.scamwatcher.com/scam/add?type=fraudulent_website

SITE/EMAIL: https://report.netcraft.com/report ( scam [*AT*] netcraft [*D0T*] com - for a phishing/fraud mail forwarding )

EMAIL: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email#section_1 - forward phish mail to report [*AT*] phishing [*D0T*] gov [*D0T*] uk

EMAIL: https://apwg.org/reportphishing/ ( reportphishing [*AT*] apwg [*D0T*] org - forward phishing mail as attachment if possible )

EMAIL: phishing-report [*AT*] us-cert [*D0T*] gov (phishing message should be sent as attachment possibly or its full source code in a message BODY.)

OTHER: https://www.knowbe4.com/free-phish-alert (email client extension)

feedback or new additions are welcome

3. Delete Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. The unsubscribe button could also carry a link used for phishing. Just delete


Source: https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

Send this to your friends, especially internet beginners.

18
19
20
 
 

This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

BusKill Canary #008
The BusKill project just published their Warrant Canary #008

For more information about BusKill canaries, see:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Status: All good
Release: 2024-06-11
Period: 2024-06-01 to 2024-12-31
Expiry: 2025-01-31

Statements
==========

The BusKill Team who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is June 11, 2024.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the 
   integrity of our systems are sound: all our infrastructure is in our 
   control, we have not been compromised or suffered a data breach, we 
   have not disclosed any private keys, we have not introduced any 
   backdoors, and we have not been forced to modify our system to allow 
   access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the
   Expiry date listed above. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.

Special announcements
=====================

None.

Disclaimers and notes
=====================

This canary scheme is not infallible. Although signing the 
declaration makes it very difficult for a third party to produce 
arbitrary declarations, it does not prevent them from using force or 
other means, like blackmail or compromising the signers' laptops, to 
coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to 
demonstrate that this canary could not have been created prior to the 
date stated. It shows that a series of canaries was not created in 
advance.

This declaration is merely a best effort and is provided without any 
guarantee or warranty. It is not legally binding in any way to 
anybody. None of the signers should be ever held legally responsible 
for any of the statements made here.

Proof of freshness
==================

04 Jun 24 14:10:16 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Fortress Europe: Migrants Abandoned on the Edge of the Sahara
Israel-Gaza-Krieg: Menschenrechtler Aryeh Neier über Schuldfrage und Strafverfolgung (Kopie)

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Middle East Crisis: Israeli Airstrikes Kill Iranian General in Syria
Live Updates: India’s Election Results Suggest a Setback for Modi

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Shock for India's Modi as opposition set to slash majority
Gaza ceasefire plan turns into deadly game of survival

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash)
000000000000000000014cd79802b29c1dcd7fc6debee1e3968cfc216b59bf16

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeY3BEB897EKK3hJNaLi8sMUCOQUFAmZfIwgACgkQaLi8sMUC
OQXZYA/9ElVoUy3Um3IXFSwUGO+ctkvKd6idD7RuOBjqZyfadr4emrDrfQKYbCpa
Gik4M1H/GWobO/RaDjeSjQtGUmlPn8anhoFzmI6pPz7fBSfg5VGemllyHI2ypPpf
cJ1jLrmzpDGxLqPd/R/WsoE8dY9E7q20JgNESAqEYyjmjxqOjx6EnIjBjy8u+xL3
YWBw5BQn/1XbLXw4X7WJNH1cNIIZDgePdIb8Wq6wEDTzFzAvfw5BPhJ2rVaChV9P
6d25htXLy5FU/qvomiy1C+ZskzbZPKGDNgr8lC/MPeNgLi0d/ps2Rgut/CGjKreW
UiBmp3xslizR2/WhpRrcz0VLYxdNolfPY0odpgXkvQSEqGiZ1gOw5OQIN0f8HMiL
nOXnnxFVgdO/I/x9X2DwKAGwuts/GSeWOHdeNxvflyDGEYJHt9YMT7kXcJ0/dl6z
QSNHDoCMzMkxBCX23mlgY8pDSjw0Lqud0HDIChi1DFuNk7m1SfMIKGOn0ZAPsNqX
RuMiLCMOPzdE8BBBpKFwZFtx0zyC78xAOBK1M8DqlUexT3CBGFjOwCmGY27dLFZe
6ygdrqptb5uDOXFsw63cWSOilCnEcx7M8FDX7QjuV6EUQwvsxpeKvHZIFVlJNQCX
L5F8Lig/y4Q9iCjGiu3oT5zPuuEXPhKkyPsIeM9lC+zP/eC8rL4=
=E7lp
-----END PGP SIGNATURE-----

To view all past canaries, see:

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

What is BusKill? (Explainer Video)
Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

21
22
 
 

cross-posted from: https://reddthat.com/post/20097432

Unbelievable...

23
24
25
 
 

So I have a situation where I would like to keep data secure. In my mind if I'm working on a computer that has no network connection, this is the safest.

However, I may from time to time need to transfer data to this machine, which introduces a vulnerability. Any thoughts on how I could minimize the risk in this case?

view more: next ›