Discover and read the best of Twitter Threads about #security

Most recents (24)

20 theses on #Ukraine/#Russia: recap.
1 We must act not only for Ukraine to win, completely, but also for Russia to lose, fully.
Let's stop fearing a collapse of Russia (which some weak minds are more worried about than Ukraine's victory).
A #Thread
🧵
1/20 Image
2 There can be neither negotiations (apart from one-off issues like prisoner exchanges) with Putin's regime, nor peace talks.
Any hint of this weakens us.
2/20
3 The discourse in favor of such discussions, such as "we will have to sit down at the negotiating table", is either a sign of ignorance of the danger of this regime, or a propaganda narrative.
It would lead to a betrayal of our commitments to Ukraine and put us in danger.
3/20
Read 20 tweets
Quick #tip for anyone doing #WebDevelopment for #Business: *Always* check what sites look like with #Javascript turned off! 👍

I just saw one with a business tracker which - Because I have JS off - Suggested the company hadn't done any satisfactory business in 10+ years! 😳

🧵
In this case the tracker counts satisfied customers, completed projects and metres of material produced, all defaulted to zero and updated by the JS. 📥

Because JS wasn't running the zero defaults were shown instead, and this definitely isn't a good look for the company! 🏢📉😳
Although JS is commonplace, it should never be relied upon for #MissionCritical things. In todays resource-scarce climate every little must be conserved, and for some of us that even extends to blocking JS - Which is also a valid #Security measure. Especially for Govt users!
Read 4 tweets
Dear subscribers and guests of the channel! Dozens of men from the entourage of #Russian President Vladimir #Putin can beat their heads against a concrete wall of distrust, trying to get the head of state to make this or that decision.
1/13
And two women, having said or written a few words, force the President to refuse or, at least, postpone the implementation of decisions already made.
2/13
Last Thursday, the Chairman of the Russian Central Bank, Elvira Nabiullina, was confidentially conveyed the President's decision to declare partial mobilization and martial law in seven constituent entities of #Russia and offered to prepare to act in "new conditions."
3/13
Read 13 tweets
1/ A software engineer is a solution provider not only someone who writes code or helps to get code written.
#softwareEngineering #webDevelopment #code #softwareEngineer #solution #value #business 101 software engineering realities you must be aware of (esp
2/ Code is one of the ways to reach a solution, not the only way.
All the points at: geshan.com.np/blog/2022/09/s…
#code #noCode
3/ Solutions have value, mainly in terms of money earned or money saved. So the software you write is a path to saving money or earning more money for the business.
#businesValue #value #soluiton #softwareEngineering #webDevelopment
Read 101 tweets
#Russia’s war on #Ukraine is likely to last many years, even if the violence may subside at times. #RussiaUkraineWar
To sustain Ukraine during this conflict, Europeans should draw up a four-part ‘#longwar plan’.
This plan would comprise #militaryassistance to Ukraine in the form of a ‘#security compact’; security assurances that respond to scenarios of Russian escalation; economic support, giving Ukraine access to the #EUsinglemarket; and help to secure Ukraine’s #energysupply.
Read 6 tweets
#Learn365 - Day 1⃣ 7⃣

Since we are talking about Polyglots, today I have SQLi Polyglot for you.
A context insensitive sqli payload polyglot, a thread. 🧵👇

#infosec #appsec #bugbountytips #security Image
When it comes to SQLi, the SQli polygot is the payload that runs in context of ' (single quote) and " (double quote).

E.g
SLEEP(1) /*' or SLEEP(1) or'" or SLEEP(1) or "*/

Will execute in both the contexts.
How ?

Let's see next.
MYSQL_QUERY = "SELECT * FROM users WHERE username = '<input>'" ;

Would turn into

MYSQL_QUERY = "SELECT * FROM users WHERE username = 'SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/" '";

Carefully observe, the Payload is happy. Image
Read 6 tweets
Blockchain & Smart Contract Security #11
1/9
Secure Account Existence check for Low-level Calls
A thread and a blogpost @SolidityScan Also read about "King of Ethers" contract hack.

blog.solidityscan.com/secure-account…

#blockchain #security #smartcontracts #SOLIDITY
2/9
What are low-level calls?
Low-level calls are methods that work on raw addresses to call other contracts' functions in Solidity. "call", "delegatecall", "callcode", "send", "transfer", etc are some examples of low-level functions
3/9
The call() method allows you to call any function you want on the address specified, and if the function is implemented on that address, it will be executed.
Read 9 tweets
Save this list of resources for your future #OSINT Investigations!

intelx.io: Search engine for data breaches
netlas.io: Search & monitor devices connected to the internet
urlscan.io: Scan a website incoming and outgoing links and assets
prowl.lupovis.io: Free IP search & identifications of IoC and IoA
fullhunt.io: Identify an attack surface
zoomeye.org: Cyberspace search engine, users can search for network devices
leakix.net: Identify public data leaks
greynoise.io: Search for devices connected to the internet
search.censys.io: Get information about devices connected to the internet
hunter.io: Search for email addresses
Read 6 tweets
#Learn365 - Day 1⃣ 6⃣

Can write single Exploit payload which can exploit both HTML and JS injection in this ?

Yes we can, they are POLYGLOT payloads.
A context sensitive injection payloads, a thread. 🧵👇

#infosec #appsec #bugbountytips #security Image
Polyglot payloads capable of executing in multiple contexts.

A simple Example:
Input is flowing through HTML and JavaScript contenxt both and HTML is executed first then JS.

If you design the payload with JS context, HTML parse would fail, and XSS wont execute.
Which means you have to design your payload which can pass both the contexts and still execute.

In above case there are two contexts,

HTML
&
JS

First HTML context is executed.

Lets take a look at the payload now.
Read 10 tweets
This is your forewarning. #TikTok has reportedly suffered a #data #breach, and if true there may be fallout from it in the coming days. We recommend you change your TikTok #password and enable Two-Factor Authentication, if you have not done so already.
The types of information accessible haven’t been confirmed.

A security team *has* claimed responsibility, but are currently working privately so we’ll hold off on the disclosure without a go-ahead.

#CyberSecurity #databreach #social #tiktok #security #cyberattack
Checked, they’re no longer private. Researcher Credit @AggressiveCurl 🫡
Read 3 tweets
Just a reminder when focusing on #security for your #office365 and #azuread tenants one of the key attack vectors comes from your on-premises environment. If you have not read and implemented the guidance in aka.ms/protectm365 you should & read this thread. 1/7 #identity
"Federated trust relationships, such as Security Assertions Markup Language (SAML) authentication,are used to authenticate to Microsoft 365 through your on-premises identity infrastructure.Ifa SAML token-signing certificate is compromised, federation allows anyone who has.."2/7
certificate to impersonate any user in your cloud.

We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
Read 14 tweets
A #Twitter whistleblower’s allegations that the Indian government forced the company to hire at least one individual who was a government agent and had access to user data, should be taken seriously, warn experts in the #technology and #policy sectors.

scroll.in/article/103156…
@MishiChoudhary, founder of @SFLCin says that the more someone knows about a user, the more power they have over them. “Personal data is used to make a variety of decisions in and about our lives: jobs, government benefits, relationships & insurance are just a few of them.”
“Personal data can be used to affect our reputations and shape our behaviour,” says @MishiChoudhary

Accusing #Twitter of playing all sides she says, “By filing a lawsuit in Karnataka, it can appease its users, ‘look here, we are fighting for your rights. ’ ”
Read 7 tweets
#DeFi is a constantly moving space.✨💸

And so, it's important to be on top of all things at all times.👑

Here are 10 #tools you NEED for bettering your DeFi journey:🧵👇
1. @DefiLlama: #DeFiLlama maintains all the #TVL data on #DeFi protocols.💸💎

DeFiLlama is a comprehensive tool where you can look at all the data on a #protocol and its #growth.🚀✨

2. @etherscan: Etherscan is a simple tool with lots of utilities.📈💰

#Etherscan is a tool that shows all the #transactions in the Ethereum ecosystem💲

Why @ethereum, though? Well, tons of protocols like @Uniswap are made on #Ethereum.💎

Knowing #ETH helps know #DeFi better.👑
Read 12 tweets
#Learn365 - Day 6⃣

Can you identify and exploit the #security bug? 🤔

In today's thread lets learn about exploit writing 🧵👇

#infosec #appsec #bugbountytips #security
This is SQLi. easy to guess. Which field is vulnerable : username.

But the tricky part is how to exploit it.
If you disect the code, you would notice that SQL statement should always return one single word. Otherwise comparison will anyway fail in PHP code.

What next ?
What do you think will happen if I input :

" or 1=1;--

Think first !!
.
.
.
.
.
.
This will make SQL return entire password column.
Inturn, PHP check will fail at line #2.

So, you have to make SQL statement return 1 single word, and that should be password which u can match.
Read 11 tweets
If you want to Learn Hacking & Penetration Testing for FREE, read this:
⁃ Metasploit Unleashed

- Free Offensive Security Metasploit course.
- The Metasploit Unleashed (MSFU) course is provided
free of charge by Offensive Security.

🔗
offensive-security.com/metasploit-unl…
⁃ MITRE ATT&CK®

- #MITRE's Adversarial Tactics, Techniques & Common
Knowledge (ATT&CK) - Curated knowledge base and
model for cyber adversary behavior.

🔗
attack.mitre.org/resources/gett…
Read 8 tweets
#Learn365 - Day 4⃣

SOP 🫧, Same Origin Policy.
A browser security framework that every #hacker should know.

Know what is it in this thread 🧵👇

#infosec #security #appsec #cybersecurity #SOP #http Image
SOP is browser security model, and I find lot of folks out there, who still dont understand it in and out.
Let me cover it here, in few threads.

Let's Start.
It is a browser security model 🔥. Now what does that means ?
It simply means this control is enforced by browser to make user visiting a site more secure from attackers.

Browser creates virtual boundaries to segregate sites and this boundary is identified with ORIGINS.
Read 9 tweets
deccanherald.com/opinion/in-per…

Agri culture in India involved raising livestock to support farming, for milk and meat, and also to support the leather industry. It has evolved over millennia and weathered quite a variety of challenges: socio-political and environmental. 1/15
Caste was exploited. In post independent India it was eminently possible to attack caste based occupation & discrimination in farming and livestock rearing, without destroying millennia old knowledge that constituted agriculture. The opportunity was forfeited. 2/15
First by the Congress pandering to upper caste pressures, and now BJP, have targeted livestock rearing and turned the farms and livestock into a battle of political ideologies. 3/15
Read 16 tweets
<When seeking to define #genocide, Lemkin highlighted the crimes committed by the Soviet regime in #Ukraine. He saw the #Kremlin’s systematic efforts to destroy the #Ukrainian nation as a “classic example of Soviet genocide”> atlanticcouncil.org/blogs/ukrainea…
"The central event of the #SovietUnion’s genocidal campaign in #Ukraine was the murder of + 4million #Ukrainians through artificial famine in the early 1930s. The Soviet authorities experienced almost no negative consequences as a result of this unparalleled slaughter" #Genocide
"Far from acknowledging the famine as an act of #genocide, #Moscow continues to downplay or deny Soviet crimes against humanity" #Russia
Read 10 tweets
IMPROVING YOUR COMPETITIVE ADVANTAGE AS A SERVICE PROVIDER DAY 5

lnkd.in/eTyjMmvM (Read DAY 4 here)

There are many other things though intangibles that can distinguish you from your competitors. ....

#environment #hotel #hospital #restaurant #nigeria Image
Some of these include your parking space, ambience of your office or environment and possibly the cleanliness of your environment.

#brand #experience #security
If you have a restaurant and people find it difficult to park or they have to park on the main road at the risk of being caught by law enforcement agents, then you may be losing clients without knowing.
Read 9 tweets
Here is a #retrospective of my best works! A 20-part-thread ⬇️

Check them out while we are resolving issues with Twitter:

• Laplace’s Demon Speaks: Is there a life in blockchain: hackernoon.com/laplaces-demon…

• The Hidden Danger of QR Codes: hackernoon.com/the-hidden-dan…

⬇️⬇️⬇️
1/20

• A CIA Agent’s Guide to Steganography, Fooling the KGB, and protecting your crypto assets: hackernoon.com/a-cia-agents-g…

• A view on #OpSec: Through the Prism of Time: hackernoon.com/a-view-on-opse…

• An Interview with a Former #Hacker: hackernoon.com/grand-theft-bi…

⬇️⬇️⬇️
2/20

• Essential #OSINT & On-chain investigations resources for a quick start: hackernoon.com/essential-osin…

• Someone overheard me! Why it’s important to think about all attack vectors, even if they seem unlikely to happen: officercia.mirror.xyz/Gc4msiSq4HkKrr…

⬇️⬇️⬇️
Read 22 tweets
With the speculation around #TheMerge turning #ether into a #security, it's important to understand:
- what the conditions for ruling sth a 'security' are; and
- what this will mean for miners, DeFi protocols, and DAOs.

🧵👇
Context: #Ethereum is moving from a proof-of-work to a proof-of-stake system, where ppl need to invest/stake in capital to validate new blocks. Anchored in the Howey Test, professor @AdamLevitin argued that this transition will likely turn ether into a security.
Howey Test validates whether a sales/transaction is considered a security and should fall under its law. Its validator components include:
1. Investment of money
2. In a common enterprise
3. With an expectation of profits
4. Solely from the efforts of the promoter/a third party
Read 10 tweets
1/14
With everything that is happening with the blacklisting of tornado cash, #USDC and #USDT. With all the Risks of centralized exchanges becoming obvious after #Celsius. And with #Terra showing us what can happen with faulty designs…
2/14
I would like to explain a little about the @RSKsmart (#Rootstock) ecosystem and why I am such a big believer in it.
Firstly, it is secured by the #Bitcoin miners
Secondly, almost all the fees get paid to the #BTC miners, making the main chain stronger
3/14
The native token is backed 1:1 with #BTC, it follows its price action. And can be converted back and forth at any time.
It is accurate to state that the entire #Rootstock (@RSKsmart ) network is designed from the ground up to make #Bitcoin stronger
Read 14 tweets
FREE #Microsoft #CISO Workshop on End-to-End Security & Strategic Guidlines

WHO should watch & What's in the Workshop?

Thread 🧵

docs.microsoft.com/en-gb/security…
❖ WHO should watch this #Workshop

The workshop is useful for #security_teams, IT teams, #business-leaders, and #cloud teams, but is primarily focused on:

• CIO + IT Directors
#CISO + Security Directors
#Enterprise + Security Architects
❖ Workshop FOCUS on - Key Context & Fundamentals discussion of

#Threat Enviorment and Trends
• Roles & Responsibilities
• Strategy & Recommended Initiatives
Read 6 tweets
1/n
The worst thing about the ongoing @solana @phantom/@slope_finance hack is that people don't even understand yet how screwed they are. Here's why this is worse than it seems, and a clear way we #web3 citizens can prevent this in the future👇
#solana #security #decentralization Image
2/n
First, a few misunderstandings out of the way.
This is not Solana team's fault: other wallets don't seem to be attacked
We also truly feel for the affected ones that are sad right now, and we hate to stomp on their hope.
But this is an important topic that has to be discussed
3/n
The worst possible calamity that can happen to a network is the leaks of private keys/seed phrases. Why? Imagine the best possible outcome. Let's say @aeyakovenko decides to reverse the chain and refund the stolen balances back to their owners. And let's skip the side effects Image
Read 26 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!