Many of our clients now support the BYOD and Remote Worker Model. Some of them might be thinking about ways they can secure their mobile workforce.
Cloud Security – FEDRAMP Standards
The US Federal Risk and Authorization Management Program ( FedRAMP )is a "government-wide program that provides a standardized approach to security assessment authorization" for cloud service provider (CSP) solutions. As a Canadian, that standard provides us guidelines on how to build our own cloud solutions on native soil, but it also lets us take advantage of a lawful standard that commonly used providers, like Amazon, Google, Microsoft, already adhere to.
Another Day another Docker Vulnerability
On the heels of the recent docker hub breach, we've got another Docker issue. Null Root Password. Folks, if you're going to rely on public images and builds for overall system architecture, please please PLEASE consider baking your own hub or scrutinise and sanitise what you're using.
Fingerprinting Apple Device Types by Sensors
The dark truth about fingerprinting hardware is that it can be used to specifically target particular weaknesses of mobile devices. Using embedded magnetometer, gyroscope, and accelerometer, any web page can determine your device type by serving up some script. What this also means is that a mobile web site tab can pretty much follow you around town all day, even without GPS.
Royal Bank – Thumbs Up for Web Security Basics. CIBC and BMO, not so.
A very basic way of protecting your banking clients, even when done visiting your site - idle time logouts. It seems that the Royal Bank was the only bank to "make the grade" when it comes to this one basic security configuration. Logging out idle users should be done actively, not passively.
A New Apple Supply Chain Compromise #gatekeeper
Hackers are leaving no stone unturned when it comes to scouring systems and software for an attack vector. Usually, an adversary is looking for one-off anomolies at the low-end of computer programming, the 1's and 0's. A buffer overflow, a protocol fuzzing, some kind of byte-level trickery. Nothing so brazen as a supply chain attack. These attacks are swift, trusted, often skipped during antivirus and malware scanning. Last week I read about a terrible new Apple supply chain compromise.
Vulnerability Testing – That’s Only for the Big Guys, Right?
Assessing security defenses and testing for weakness is an essential feedback component of the continuous improvement cycle - canonized by several risk management frameworks. At RiPPUL, we look at Vulnerability Testing as an important component of a well managed risk management program.
Video Image Detection and #surveillancecapitalism
Open source tools and computational power have progressed, but there's a world wide race out there to weave the latest theories and algorithms with cheap small batch hardware. May the most accurate win.
Understanding Your Risk Profile
There may be dimensions to the risk profile of your organisation which you never considered. Let RiPPUL cybersecurity experts protect your business, your clients, and your livelihood.
Two Easy and Effective Ways for Web Developers or Regular Folk to Secure Against Bot Probing.
I've found two easy ways to stop bots from signing up and infiltrating a freshly pressed web site. If you've got no advanced IP (Geo/blacklist) filtering or email address spam checking built into your web-app, you should at least be throttling or hindering bot efforts using the tooling you've got at hand - your web … Continue reading Two Easy and Effective Ways for Web Developers or Regular Folk to Secure Against Bot Probing.