Tag Archive for: thoughts

Top 5 Cyber-Security companies in india.



CISO Thoughts with David Lindner – March 18th


CISO Thoughts with David Lindner - March 18th

Insight #1

If you can accomplish one thing in your AppSec program this year, it should be keeping secrets out of your source code. The number of secrets in source code is doubling year over year, which will lead to more breaches. There are many options to detect secrets both pre and post-commit, implement them both today!

Insight #2

Security is all about the relationships you build. This is especially true for application security professionals. We must have close bonds with our development teams, to not only understand and empathize with their deadlines but also to understand the implications of any security imposed changes. Pick up the phone, open a Zoom call, build those relationships and your success metrics will improve.

Insight #3

President Joe Biden signed the Cyber Incident Reporting For Critical Infrastructure Act of 2022. This act requires critical infrastructure entities and federal government agencies to report cybersecurity incidents within 72hrs of an incident. Transparency is a key component in the cyber security world and can lead to preventing future exploits. If you don’t fall in the defined entities, I would still strongly suggest you follow the requirements to report incidents in a similar fashion.

David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug…

Source…

Google has second thoughts about cutting cookies, so serves up CHIPs • The Register


Last week, third-party cookies received a stay of execution from Google that will allow them to survive until late 2023 – almost two years beyond their previously declared decommission date. But the search-ads-and-apps biz is already planning a resurrection of sorts because third-party cookies are just too useful.

The Chocolate Factory envisions a lesser form of third-party cookie, one that in theory won’t be used for tracking but will be able to support other more acceptable use cases. Google software engineer Dylan Cutler and engineering manager Kaustubha Govind call their confection “partitioned cookies” in a Web Platform Incubator Community Group proposal called “CHIPs.”

Cookies are files that web applications can set in web browsers to store data. They have legitimate uses, like storing data related to the state of the application (e.g. whether you’re logged in), and they can also be used for tracking people across websites.

Third-party cookies – set by scripts that interact with third-party servers – track people by storing a value on one website and then reading that value on another website that implements a similar third-party script. The third-party service in this case then knows all the websites running their script that were visited by the tracked individual.

That’s the sort of privacy-invading behavior that led browser makers like Apple, Brave, Mozilla, and others to block third-party cookies by default. But doing so has created problems by interfering with applications that rely on third-party cookies to deliver services across domain contexts.

The browser security model is based on the distinction between first-party and third-party contexts. When an individual visits a specific web domain, that domain operates in a first party context; services available at other domains are considered third-party and face various limitations on what they can do.

Source…

Some Thoughts on the Recent DNS Operations, Analysis, and Research Centre Workshop, OARC-35


The DNS Operations, Analysis, and Research Centre (DNS-OARC) convened OARC-35 at the start of May. Here are some thoughts on a few presentations at that meeting that caught my attention.

TTL Snooping with the DNS

These days it seems that the term “the digital economy” is synonymous with “the surveillance economy.” Many providers of services on the Internet spend a lot of time and effort assembling profiles of their customers. These days, it’s not just data in terms of large-scale demographics but the assembling of large sets of individual profiles. We are all probably aware that we emit a steady stream of bits as a digital outflow when we use the Internet, and there is a major ongoing effort to sniff this digital effluent and derive profiles of individual activities from this data. If an entity operates a recursive resolver in the DNS or operates a popular web service, then it’s pretty clear how such user profiles can be assembled if that’s what they want to do. What is not so apparent is that almost anyone can sniff our digital outflow. All it takes is a little ingenuity.

The presentation on “Trufflehunter” at DNS OARC 35 is a good case in point of being able to perform such indirect snooping. The question posed here is to what extent is stalkerware being used. By its very nature, stalkerware is covert, as the intent is that the intended victim should be completely unaware that they have this app running on their device. So, is there a puff of tell-tail smoke that can reveal stalkerware in action? The key observation is that often these apps use the DNS as a command-and-control channel. After all, the DNS is ubiquitous, and the total query volumes are truly prodigious. What are a few more queries in such a torrent of DNS? The app is simply hiding itself in a densely packed crowd. You might get a signal of active stalkerware if you operated a DNS resolver, but if you aren’t the resolver operator, then you just can’t see the signal. Right?

Not true.

The critical piece of data that is used in this form of digital eavesdropping is the TTL (Time to Live) field in DNS responses. When a recursive resolver loads a response that was supplied by an authoritative server,…

Source…