HASHTAGSECURITY

Here is a small piece of knowledge that prevented me from going nuts. Set you OpenVAS session expiry time before it drives you crazy! Openvas is a great vulnerability scanner, but the default session expiry time is set to 15 minutes, which is just plain annoying when you’re running a scan and want to check…

I already blogged about my problems with Disqus and the Content Security Policy header twice, but recent changes in Disqus made me revisit the whole topic. Burak Yiğit Kaya, developer at Disqus, made a few changes we discussed about a month ago, that would improve the coexistence of Disqus and CSP on a website. While…

Are cloud services safe to use, or are you better of creating your own data castle? Let’s take a look at the difference between cloud services and self hosted solutions, and why trust is a key part of security. Cloud services have become widely used over the past years, and it looks like they’ll be…

A new bucket post – I will change them from weekly to “whenever I feel like it”. Mainly because I can’t find the time to write actual posts between the bucket posts and I don’t want this blog to consist solely of bucket posts. SSL Client Certificate Support for Owncloud – Meanwhile on the interwebs,…

How do you secure a web page for private use? Easy if you ask me, use client certificates and a secure connection over TLS, preferably with a signed certificate. So far so great, the website is pretty secure know as only someone with the right certificate can visit it. But what about compatibility with client…

Yesterday, reports of a critical vulnerability in the GNU C Library (glibc) hit the news. If you have more then just a handful servers to check, this Ansible playbook might be helpful. You can read all about the vulnerability here. Usually when I have to check multiple servers, I use Ansible like this. In the…

Almost a year ago, I experienced my first real security incident. The company’s bulletin board was compromised and it was my job to oversee and coordinate the incident response. The teams and I where pretty much thrown into the cold water, as we’ve never experienced an incident of that size before. Right after the incident…

The Weekly Bucket Post goes into the second round. This week we have wrong sha256 hashes, problems with Safari and amongst other things an invitation to keybase.io! sha256sum creates “wrong” hash – Recently I was wondering, why a SHA256 hash of the string password was listed in neither the Hash Toolkit nor the LeakDB databases.…

After all that trouble I had with Disqus and my Content-Security-Policy, I finally got it working. Not only that, but I got some help from a Disqus JS dev! First of all, I want to apoligize for a few things in my last post. I blamed Disqus for using eval, when it was really me…

Recently I noticed that Disqus isn’t loading anymore. It was easy to figure out that CSP was the reason why. In the end I was left with nothing more then the choice of which one needs to go. Update: Burak Yiğit Kaya, a javascript developer at Disqus reached out to me to to address the…