The original post: /r/cybersecurity by /u/adarsh-mishra on 2024-12-01 05:59:01.

I was just searching for a course then I found a course by Google in cybersecurity on cousera. I was wondering if anyone of you know about that. If anyone do I have some questions to ask will you please clarify them

1.After completing this course at which post will to be able to apply in Cybersecurity?

2.Will I be able to hack after this ?

3.Is it worth it ?

The original post: /r/cybersecurity by /u/arqf_ on 2024-12-01 04:27:07.

The original post: /r/cybersecurity by /u/PacketsForward on 2024-12-01 00:29:59.

The original post: /r/cybersecurity by /u/Elegant-Computer-731 on 2024-11-30 22:09:13.

I’m looking for solutions to prevent phone or other recording devices from capturing sensitive information during meetings, to ensure critical data doesn’t leak to the public. I’ve heard about concepts like mobile security, using signal jammers, specialized wall paints, and certain procedures, but I’d like to learn more about these and other potential methods. Can anyone provide additional information or insights on this topic?

The original post: /r/cybersecurity by /u/ItzAlb on 2024-11-30 19:02:07.

I’m a cybersecurity student currently working on a Website intended for commercial use, and I wanted to share my thought process on API architecture using JWTs for authentication and authorization. I’d love to get feedback from the community to refine my approach. Here’s what I am using:

• JWT Contents: The token includes expiration time, user ID, and user type, which are critical for backend operations like database interactions and enforcing user-specific logic.
• Secure Communication:
  • The frontend communicates with the reverse proxy over HTTPS through internet.
  • The reverse proxy communicates with the backend over a private network.
• Reverse Proxy Responsibilities:
  • Validates the JWT token using the signature.
  • Implements rate limiting and caches recent requests for improved performance.
  • Filters out invalid or unauthorized requests before they hit the backend. Through validating session_id or JWT token. Without this 2 no communication is allowed besides receiving a session_id on first visit. With a session id you are allowed to attempt login after which you can get a jwt for 24h after which you have to log in again. Rate limiting applies to session id and jwt tokens.
• Backend Assumptions:
  • The backend servers rely on the reverse proxy to perform JWT validation.
  • The backend uses the token claims (like user ID and user type) passed by the proxy to interact with the database and apply business logic.

The JWT itself is sent as a secure, HTTP-only cookie.

My Thought Process:

Since:

1. All communication between the frontend and reverse proxy happens over HTTPS, protecting data from interception.
2. The reverse proxy validates the JWT and rejects invalid tokens.
3. The backend communicates with the proxy in the Hetzner private network. (thinking of https here too dk if the communcation can be intercepted cant control the network, managed by hetzner pros less exposure and lower latency)

Personally, I think revalidating the JWT at the backend might be unnecessary in this setup. The proxy acts as a trusted gatekeeper, and the backend can safely use the claims forwarded by the proxy. Only the Proxy is allowed to communicate with the backend servers.

My Questions:

1. Is skipping JWT revalidation on the backend a reasonable choice in this scenario, given the secure setup?
2. Are there scenarios where double-dipping validation is a must, even with a private network and secure proxy in place?

Would love to hear your thoughts on whether this design is secure or if there are risks I might be overlooking.

Thanks in advance for your insights!

The original post: /r/cybersecurity by /u/stayoutofwatertown on 2024-11-30 17:57:02.

We are looking at attack surface management tools. We are primarily interested in coverage gaps, EoL and better vuln prioritization. What other use cases should we be looking at?

The original post: /r/cybersecurity by /u/danielkelleym on 2024-11-27 07:41:46.

The original post: /r/cybersecurity by /u/hodgehegrain on 2024-11-27 05:59:55.

The original post: /r/cybersecurity by /u/pfirmsto on 2024-11-27 02:47:04.

Hello folks, I have a little project on github, feel free to join in, fork etc if you find it interesting.

https://github.com/pfirmstone/jdk-with-authorization

It's a fork of OpenJDK master, that will remain compatible but preserve and improve support for Authorization / Access Controls.

Features:

• Principle of Least Privilege Policy generation tool: -Djava.security.manager=polpAudit This significantly simplifies deployment and management of security policy files.
• Non blocking cache SecurityManager (to avoid repeated checks in Executor tasks) and high scaling policy provider. -Djava.security.manager=default This eliminates the security performance penalty.
• Restrict class loading to Signed jar files, or generate a whitelist of allowable jar files using policy, to prevent loading of untrusted code.
• Generate a whitelist of allowable URL's
• Generate a whitelist of allowable Serializable objects.
• Reduced the trusted codebase to java.base module and native platform code, all modules can be controlled and their class loading prevented, should you wish to disable unwanted features in OpenJDK. It also allows you to restrict features to Authenticated users should you wish to do so.
• Removed static permissions - for example, static permissions were granted to enable applets to contact their originating URL, however static permissions create the potential for URL injection attacks in software utilising URLClassLoader. Eg JNDI LDAP URL injection attacks, although this feature has options to disable it in the JVM, or removed it in Java 24, it's possible to allow it safely using signed jar files and URL whitelists. Removing static permissions simplifies the security model, permissions previously granted by code are now granted by policy.

Related Videos

Securing the JVM • Nicolas Frankel • GOTO 2019

A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land

Compatibility across all Java Platforms:

We can no longer call System::getSecurityManager or System::setSecurityManager, many permission checks call System::getSecurityManager, but don't have to:

("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(new RuntimePermission("closeClassLoader"));
}

Use checkGuard instead:

new RuntimePermission("closeClassLoader").checkGuard(null);

Alternatively save the new permission to a static field:

private static Guard CLOSE_CLASS_LOADER = new RuntimePermission("closeClassLoader");

Then call:

CLOSE_CLASS_LOADER.checkGuard(null);

The advantage of the static field is it will be cached by CombinerSecurityManager and comparision will be made by reference instead of Object equals.

Continue using AccessController::doPrivileged and Subject::doAs methods.

Use -Djava.security.manager=default to set a SecurityManager on supported platforms.

This will allow your software to support all Java platforms.

The original post: /r/cybersecurity by /u/andy-codes on 2024-11-26 23:16:58.

In ou article, we outline several critical vulnerabilities discovered in NASA's AIT-Core v2.5.2, including SQL injection, local code execution through eval, Pickle, and YAML, and remote code execution via Man-in-the-Middle attacks. We detail how these flaws can potentially lead to severe security breaches, including command injection and unauthorized access, and demonstrate the risks through various examples and exploit scenarios. We also recommend specific mitigations such as using secure query-building methods, avoiding insecure libraries, and encrypting communications to prevent these vulnerabilities from being exploited.

The original post: /r/cybersecurity by /u/Terrible_Dig1200 on 2024-11-26 23:08:11.

I was wondering if anyone took the US Cyber Challenge for 2024 and did you get invited to the 2025 Camp? Also, if you did, what was your placement?

The original post: /r/cybersecurity by /u/An_Ostrich_ on 2024-11-26 22:19:10.

The place I work at currently uses ESET Protect as the endpoint protection platform and before renewing our licenses we are deciding if we need to switch from ESET into something like SentinelOne or Defender 365. We’re in the process of ramping up the organisation’s security as well starting next year and that is one of the reasons why we’re considering this switch as well.

Our ecosystem consists mostly of Windows PCs and servers, very few Linux servers, and also some Android devices, we got Office 365, and also got some infrastructure in Azure cloud as well. The top two contenders for me right now are Defender 365 (because of the footprint MS has on us and also because the whole ecosystem will integrate well), and SentinelOne. Crowdstrike (even though I like the product) didn’t make it because our higher-ups are still uneasy with their outage incident.

How are your experiences with these two products? Would love to hear about out-of-box protections, fine-tunings and integrations, support, and administration.

And also regarding ESET, they’ve served us well over the years. I think the company is looking for something ‘modern’ but I did my research and it seems like all these products do the exact same thing.

The original post: /r/cybersecurity by /u/icewolf04 on 2024-11-26 22:11:08.

I'm trying to create an alert for any time a computer in the network creates virtual machines. I've been able to search for commands containing "qemu-system" and others, but finding every VM software in existence is only going to detect the ones I've thought of.

Is there a behavior, Windows code, or a short list of things that VMs have in common? Thanks!

The original post: /r/cybersecurity by /u/fanicia on 2024-11-26 20:44:49.

Hey folks. With the holiday season coming up, I wanted to show off Advent of Cyber for the aspiring cybersecurity professionals among us. Dinking around with freemium sites like this can seem silly, but I attribute a significant amount of my initial learning from stuff like this, so I really recommend it to newcomers 🙂

I have done a quick write-up on a cool little task from Advent of Cyber 2021 about Burp Suit and brute-forcing with Intruder. Hope you like it 🙂

https://medium.com/@Fanicia/tryhackme-advent-of-cyber-27acbe17f487

The original post: /r/cybersecurity by /u/arqf_ on 2024-11-26 20:33:39.

The original post: /r/cybersecurity by /u/Euphoric_Tree335 on 2024-11-26 20:03:48.

Let’s say a new grad is lucky enough to join your team with no previous cybersecurity experience.

What do you expect from them? How would you measure their performance?

The original post: /r/cybersecurity by /u/Tujantahaimujhe_ on 2024-11-26 19:01:33.

MacBook m2 or windows

Which will be best for cyber security and for ethical hacking purposes???? And please let me know which one would be best in Windows category. I am new and as i cannot go for computer as of now, I wanted to know which one will be best for multitasking.

The original post: /r/cybersecurity by /u/Successful_Focus6125 on 2024-11-26 18:46:40.

Hi everyone,

I’m currently studying cybersecurity and wondering about the value of certifications versus just completing courses. Are exams and certifications (like CompTIA Security+, CEH, etc.) essential to get a job in the field, or would employers consider someone who has completed the coursework but hasn’t taken the exam?

Also, if you’ve been through this journey, I’d love to hear your advice on what helped you break into this

The original post: /r/cybersecurity by /u/liverdust429 on 2024-11-26 18:34:05.

How do dark web monitoring services work?

Aside from buying stolen data and dumps, what other techniques do they use?

I assume they might search through forums, but I'm not entirely sure how that would work and am also interested in other ways.

The original post: /r/cybersecurity by /u/DeepDreamerX on 2024-11-26 17:05:34.

The original post: /r/cybersecurity by /u/MrMillner on 2024-11-26 15:08:23.

I'm fortunate to have the opurtunity of getting one Certification sponsored by my employee every year. After doing a lot of SANS Certs in the past, there is basically nothing Cloud related left on their offer.

What Cloud Courses/Certifications did you enjoy so far? Are there any "vendor neutral" Certs you can recommend? I'm looking at the CCSP at the moment, how does it compare to SANS courses and how technical is ISC2?

The original post: /r/cybersecurity by /u/gurugabrielpradipaka on 2024-11-26 13:56:06.

The original post: /r/cybersecurity by /u/SteeleDuke on 2024-11-26 12:38:05.

Am I just paranoid or are millions of vapers computers infected from Vaporesso vape device firmware?

https://imgur.com/a/nbrj7De

The original post: /r/cybersecurity by /u/YnysYBarri on 2024-11-26 10:18:19.

Hi,

I've got a PowerShell script that checks the NIST NVD datjson feed each morning. It gets the data for a specific date range, uses that to populate an excel file and then quits.

Twice recently (Friday and today) the excel file is blank and the json feed is returning a 503. I thought it could be something to do with a network change at work so I tried it over 5G and the same thing. Any ideas?

The original post: /r/cybersecurity by /u/anynamewillbegood on 2024-11-26 10:16:19.