Cybersecurity

Seems like a really serious vulnerability, any container attack or malicious image could take over a container host if there's no hardening on the containers.

pentesting, cybersecurity, cve

For our business we use a number of different apps and websites but only two of them offer 2FA with a security key. The rest allow for an authenticator app. In this case, it seems just using an authenticator app would be best for consistency and without needing to purchase keys.

Of course, installing authenticatior apps on each device would be a no-no since it wouldn't technically be 2FA. Then do we use each employee's personal phones? Not sure how to proceed.

Channel with alerts for when Apple releases patches for actively exploited vulnerabilities in iOS and macOS. Auto updates are good, but it’s best to update straight away and not worry.

Hello!

I've recently stumbled upon an amazing blog about getting credentials from Bitwarden vault through DPAPI and Windows Credential Storage, and what suprised me is that any low-privileged process can just ask for all information in Credential Storage, without requiring any user input (the article discusses it in the second half, even though the first half is about abusing DA credentials), through the CredEnumerateW WinApi call.

Since that vector was pretty interresting, I tried running their PoC for listing the cred storage on my, and several colleague machines, and was surprised that every machine had domain account credentials listed in plaintext, that could be grabbed by any low-privileged process just by calling this WinAPI.

I suspected that it's because of Outlook or Teams, because I found articles from few years ago mentioning that they do get saved there. However, one colleague did not have his credentials there, even though he was using Teams and Outlook, and had his password saved.

So, how did that password get there? Why most people we tried the PoC with do have a domain password saved, but some do not? Or is it because of Windows Hello? I'd love to get some kind of solution/recommendation about how to avoid having your password, in plaintext, in such an insecure space. Or was I dumb enough to save it into Edge somwhere, and have promptly forgotten about it?

And more importantly - how this isn't a pretty severe vulnerability, and is considered "as designed" by Microsoft? The fact that any process can just ask for your credentials is mind-blowing, plus it isn't even detected by EDRs we've tried it with when discussing it with our SoC.

I'd like to create a Plex/Jellyfin server that I can open up to family and friends on other networks. I know there are security concerns with opening my home network to outside traffic like this, but I'm not educated well enough on cyber security to know what practices to avoid or how to accomplish this safely.

Something I've come across is the Firewalla Purple . It's a device that plugs into your modem to provide a firewall, DNS ad blocking, and some other cyber security features.

From what I've read, the network monitoring and security features provided by this product would solve the security concerns that come with opening a Jellyfin/Plex server to outside connections. Firewalla also provides lifetime access to their VPN with the purchase of their products, so I could stop paying for Proton if it's any good. The DNS ad blocking is a huge bonus.

How can I safely let friends and family stream from my Plex/Jellyfin server? Would this Firewalla product solve any of these issues? Is their VPN service comparable to Proton or Mullvad?

They're blaming customers for not having good cybersecurity practices instead of themselves for not having good cybersecurity practices.

This community appears to have been abandoned by the current moderator. Neither account shows any activity for the past 6 months, nor has the user responded to DMs I sent via Lemmy and Matrix several weeks ago.

Would anyone like to step up and become the new moderator? We should have an active user in that role.

@[email protected] / @[email protected] I'm mentioning you here for transparency. If you ever come back to Lemmy you should have a notification directing you to this post.

Hey! I program a lot but I'm not very good with cybersecurity and stuff, although I have a basic usage of GPG and asymetrical encryption.

My problem is:

Let's imagine that Alice (A) and Bob (B) each have a file with a number written in it.

Ideally, I'd like a program that A can run on her computer that would take the B file but encrypted, and output the minimum of the two values contained in A and B files.

But without any way for A to know what the number of B is, except if B value is the minimum, obviously.

Can someone help me with that? Thank you for reading!