Security


Secure File Encryption Google Chrome Extension

posted May 8, 2020, 6:54 AM by Chris G   [ updated May 8, 2020, 6:55 AM ]

Securely store private files in your Google Drive
This app provides bank-grade AES256 encryption to protect your private files stored on Google Drive™.

No unencrypted data ever leaves your own computer.


Free phishing security test

posted Apr 18, 2020, 12:30 PM by Chris G   [ updated Apr 18, 2020, 12:31 PM ]

KnowBe4

Find out what percentage of your employees are Phish-prone with our free test.


Did you know that 91% of successful data breaches started with a spear-phishing attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!

Phishing Security Test

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

Why? If you don't do it yourself, the bad guys will. 





Controlling outbound traffic from Kubernetes

posted Apr 14, 2020, 1:43 PM by Chris G   [ updated Apr 14, 2020, 1:43 PM ]




Controlling outbound traffic from Kubernetes



At Monzo, the Security Team's highest priority is to keep your money and data safe. And to achieve this, we're always adding and refining security controls across our banking platform.

Late last year, we wrapped up a major networking project which let us control internal traffic in our platform. This gave us a lot of confidence that malicious code or an intruder compromising an individual microservice wouldn't be able to hurt our customers.

Since then, we've been thinking about how we can add similar security to network traffic leaving our platform. A lot of attacks begin with a compromised platform component 'phoning home' — that is, communicating with a computer outside of Monzo that is controlled by the attacker. Once this communication is established, the attacker can control the compromised service and attempt to infiltrate deeper into our platform. We knew that if we could block that communication, we'd stand a better chance at stopping an attack in its tracks.



Securing your bastion hosts with Amazon EC2 Instance Connect

posted Aug 28, 2019, 7:50 AM by Chris G   [ updated Aug 28, 2019, 7:51 AM ]


In a previous blog post, I discussed how you can use AWS Systems Manager Session Manager to securely connect to your private instances in your virtual private cloud (VPC) without needing an intermediary bastion host, open ports, or a key pair assigned to the instances. In this post, I cover how you can improve the security of your existing bastion hosts by using Amazon Elastic Compute Cloud (Amazon EC2) Instance Connect. I also demonstrate how you can use an AWS Lambda function to automate your security group configuration to allow access from the published IP address range of the EC2 Instance Connect service. This is necessary if you want to connect to your instances using Instance Connect from the Amazon EC2 console.

stop disabling SELinux

posted Feb 15, 2019, 7:51 AM by Chris G   [ updated Feb 15, 2019, 7:52 AM ]

Seriously, stop disabling SELinux.
Learn how to use it before you blindly shut it off.

Every time you run setenforce 0, you make Dan Walsh weep.
Dan is a nice guy and he certainly doesn't deserve that.


JSON Web Token

posted Jun 14, 2018, 6:55 AM by Chris G   [ updated Jun 14, 2018, 6:57 AM ]

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.



GnuPG - The GNU Privacy Guard

posted May 12, 2018, 8:26 AM by Chris G   [ updated May 12, 2018, 8:27 AM ]


GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).



Boxcryptor - Security for your Cloud

posted May 12, 2018, 8:24 AM by Chris G   [ updated May 12, 2018, 8:24 AM ]

Boxcryptor for Individuals

Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.



Boxcryptor is free to use with one cloud storage provider on two devices. 




Inspec - Compliance as code

posted May 1, 2017, 9:57 AM by Chris G   [ updated May 1, 2017, 9:58 AM ]


InSpec is an open-source testing framework for infrastructure with a human-readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.

This tool can also be used to validate the deployment of new systems by describing what should/should not be installed. Great stuff!

Salted Password Hashing - Doing it Right

posted Mar 13, 2017, 1:22 PM by Chris G

A very nice article with examples:

1-10 of 28