Security

I use 1Password password manager for saving all my passwords, various other credentials and private notes and it has been a lifesaver thus far. Having a unique password for all my accounts and using 2FA wherever available means I should be quite safe in case any of my accounts gets breached or the password gets leaked.

Notes

• SolarWinds supply chain attack: SolarWinds were pushing the malware in updates. The malware itself is your standard DLL injection that establishes C2 and then allows them to come in and install further tools on it. They pushed it to everyone via update and made it look authentic by leveraging SolarWind's token-based authentication in the update process. Delivered through a trusted code signed agent, the software goes to a central management server on your network that is used to inventory and manage network infrastructure. Also whoever did this would have vetted the exploit by running it against all known anti-malware and log analysis systems to ensure it wasn't flagged, there are great videos that show how to obfuscate code to get past signature based detection and this was attack was certainly planned out and not using off the shelf exploit kits that would detected

Links

• Lynis - Security auditing and hardening tool, for UNIX-based systems.
• Theo De Raadt presented "Pledge: A new security technology in OpenBSD" - Great talk.
• SeKey - Use Touch ID / Secure Enclave for SSH Authentication.
• DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86 (2018)
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.
• ClusterFuzz - Scalable fuzzing infrastructure which finds security and stability issues in software.
• Some security related notes
• RAMBleed - Reading Bits in Memory Without Accessing Them.
• Sliver - General purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS.
• Infosec_Reference - Information Security Reference That Doesn't Suck.
• Messaging Layer Security (MLS) - Security layer for encrypting messages in groups of size two to many.
• Molasses - Rust implementation of the Message Layer Security group messaging protocol.
• mkcert - Simple zero-config tool to make locally trusted development certificates with any names you'd like.
• Boulder - ACME-based CA, written in Go.
• If you were tasked to conduct a security audit on a server/database-backed web app, where would you start? (2019)
• Resilience engineering papers
• How Monzo security team handle secrets (2019)
• HoneyTrap - Extensible and opensource system for running, monitoring and managing honeypots.
• Flan Scan - Lightweight network vulnerability scanner.
• SSL/TLS Deployment Best Practices - Ivan Ristic (2017)
• Hardenize - Meet the new standard for network and security configuration monitoring.
• american fuzzy lop - Security-oriented fuzzer.
• Pwnagotchi - Deep Reinforcement Learning instrumenting bettercap for WiFi pwning.
• is-website-vulnerable - Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
• camo - HTTP proxy to route images through SSL. Making insecure assets look secure.
• Vault - Tool for secrets management, encryption as a service, and privileged access management. (Web)
• Awesome Hacking
• OSS-Fuzz - Continuous Fuzzing for Open Source Software.
• Wifiphisher - Rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. (Code)
• crunchy - Finds common flaws in passwords. Like cracklib, but written in Go.
• Redirect attack on Shadowsocks stream ciphers
• Dispatch - All of the ad-hoc things you're doing to manage incidents today, done for you, and much more.
• Sublist3r - Fast subdomains enumeration tool for penetration testers.
• disclose.io - Cross-industry, vendor-agnostic standardization project for safe harbor† best practices to enable good-faith security research. (Code) (GitHub)
• Awesome Zero trust - Curated collection of awesome resources for the zero-trust security model.
• CS 253 Web Security (2019) (Videos)
• vaulted - Spawning and storage of secure environments.
• Destructive Farm - Exploit farm for attack-defense CTF competitions.
• Panther - Cloud-native platform for detecting threats with log data, improving cloud security posture, and conducting investigations.
• bettercap - Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.
• security.txt - Proposed standard which allows websites to define security policies.
• lego - Let's Encrypt client and ACME library written in Go.
• Security Engineering - A Guide to Building Dependable Distributed Systems (HN)
• Michal Zalewski's security tools/articles
• Smashing The Stack For Fun And Profit
• CS 161: Computer Security (2020)
• hashcat - World's fastest and most advanced password recovery utility.
• Awesome Object Capabilities and Capability-based Security
• Brim - Open source desktop application for security and network specialists.
• testssl.sh - Command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
• AFL++ - Fuzzing framework. (Web)
• Awake Security - Advanced Network Traffic Analysis Solution.
• A Defender’s Guide For Rootkit Detection: Episode 1 – Kernel Drivers (2020)
• OpenSC - Open source smart card tools and middleware.
• Hacker tools on Go
• Ask HN: Any good FOSS alternative to Google's reCAPTCHA? (2020)
• SnapPass - Share passwords securely.
• yubikey-agent - Seamless ssh-agent for YubiKeys. (HN)
• Resources for Beginner Bug Bounty Hunters
• Web Security Basics
• A Guide to Threat Modelling for Developers (2020)
• The SSO Wall of Shame - List of vendors that treat single sign-on as a luxury feature, not a core security requirement.
• Black Hat Go book (Code)
• How to Become a Hacker (2020) (HN) (Lobsters)
• Web Security 101: Cross-Site Scripting (XSS) Attacks
• Ask HN: How does your company manage its encryption keys? (2020)
• Password Manager Resources - Place for creators of password managers to collaborate on resources to make password management better for everyone.
• A Well-Known URL for Changing Passwords (Code)
• Learn Security Engineering
• Zebra Crossing: an easy-to-use digital safety checklist
• Best practices for managing & storing secrets like API keys and other credentials (2020) (Reddit) (HN)
• gopass - Password manager for the command line written in Go.
• Rosetta - Simple, scriptable file encryption tool.
• Mozilla SSL Configuration Generator (Code)
• OWASP Amass - In-depth Attack Surface Mapping and Asset Discovery.
• tl;dr sec Newsletter
• Flipper Zero - Tamagochi for Hackers. (HN) (HN) (Flipper Android App) (Firmware) (Awesome) (Twitter) (Read and replay hotel key cards)
• Security@ Conference
• I'm Open Sourcing the Have I Been Pwned Code Base (2020) (HN)
• Security Research from the Microsoft Security Response Center
• Researchers can duplicate keys from the sounds they make in locks (2020) (HN)
• DEF CON - Hacking Conference.
• Threat modelling case study: bicycles (2020) (Lobsters)
• GTFOBins - Curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. (Code) (Lobsters) (HN)
• MinTOTP - Minimal TOTP generator written in Python. (Lobsters)
• Information Security Requires Strongly-Typed Actors and Theories (2019)
• Intercepting Zoom's encrypted data with BPF (2020)
• Payloads All The Things - List of useful payloads and bypass for Web Application Security and Pentest/CTF.
• Bypassing ESP32 Encrypted Secure Boot (2020)
• F-Secure Labs - Cyber security research and development.
• Hacking Apple (2020) (HN)
• Penetration Testing Tools
• Chamber - CLI for managing secrets. Currently it does so by storing secrets in SSM Parameter Store, an AWS service for storing secrets.
• Cyber Security Resources (Web)
• HowToHunt - Some Tutorials and Things to Do while Hunting Particular Vulnerability.
• EarlyBird - Sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
• Awesome Hacking - Curated list of hacking tools for hackers, pentesters and security researchers. (Web)
• HashiCorp Boundary (2020) - Simple and secure remote access — to any system anywhere based on trusted identity. (Code) (Announcement) (HN)
• mc2 - Multiparty Collaboration + Coopetition projects.
• Google Security Research - Hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google.
• Timesketch - Collaborative forensic timeline analysis.
• XSStrike - Advanced XSS Detection Suite.
• GHunt - Investigate Google Accounts with emails.
• HideAndSec - Group of cybersecurity enthusiasts.
• OWASP Cheat Sheets - Collection of high value information on specific application security topics. (Code)
• Tricks for penetration testing
• Malware Source Code Collection
• Research code & papers from members of vx-underground
• Passguard - Decentralised and 100% secure password manager. (Code)
• Web Hacker's Weapons - Collection of cool tools used by Web hackers.
• Crowdsec - Modern behavior detection system, written in Go. (Web)
• Awesome Security
• A Researcher’s Guide to Some Legal Risks of Security Research (2020)
• Spacehuhn Technologies - Open Source Hacking Tools. (GitHub)
• Security features of musl (Lobsters)
• Mozilla SSL Configuration Generator
• Infection Monkey - Open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
• Clean up your digital hygiene (2020)
• OSS Security Scorecards
• Gophish - Open-Source Phishing Toolkit. (Web)
• OpenEDR - Free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level.
• MITRE open source (GitHub)
• r2c - Enforcing code guardrails on every commit. (GitHub)
• Awesome Security Feeds
• Neurax - Library for constructing self-spreading binaries.
• Cloud Custodian - Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources. (Web)
• Depix - Tool for recovering passwords from pixelized screenshots. (HN)
• Honest Security - Guide to endpoint security and device management that doesn't erode your values. (Code)
• Metasploit - Penetration testing framework. (Code)
• Awesome CTF (Capture The Flag)
• Quarkslab - Software and security services.
• Security Christmas
• HackTricks - Penetration testing hacks/tricks. (Code)
• Machine Learning for Security Course
• Drata - Put SOC 2 Compliance On Autopilot.
• Escaping VirtualBox 6.1 (2021) (HN)
• Our Dumb Security Questionnaire (2021) (HN)
• The SOC2 Starting Seven (2020) (HN)
• Ask HN: Where can I start learning about hacking? (2021)
• Awesome Open Policy Agent
• Hacker Roadmap - Beginner pen-testing start guide.
• Heap-based buffer overflow in Sudo (2021) (Lobsters)
• Ask HN: Any tips for a programmer wanting to switch into security? (2021)
• Free CyberSecurity Professional Development Resources
• Awesome Mobile Security
• GitHub Learning Lab: Security Strategy Essentials
• Darkbit - Cloud-native security built for your business.
• What hardware and software should I use for a self hosted home security system? (2021)
• CALDERA - Scalable Automated Adversary Emulation Platform.
• Bug Bounty Cheat Sheet
• Hack The Box - Hacking Training For The Best. Individuals & Companies.
• Pentesting: What I should have done (2021)
• A future without passwords (2021) (HN)
• Introduction to Security Good Practices (2021) (HN)
• resync - Curate, monitor, and derive signal from the world's attack surface.
• Aqua Security - Full lifecycle security for containers and cloud-native applications. (GitHub)
• Starting Up Security - Collection of information security essays and links to help growing teams manage risks.
• How We Protect Pinners’ Passwords (2021)
• An Incomplete List of Practical Security for Mortals (2021)
• Secretless Broker - Secure your apps by making them Secretless.
• Probably Are Gonna Need It: Application Security Edition (2021)
• Cybersecurity and the curse of binary thinking (2021) (HN)
• zxcvbn - Low-Budget Password Strength Estimation.
• Learnings from looking for NSO Group's spyware on phones (2021)
• Mobile Verification Toolkit (MVT) - Forensic tool to look for signs of infection in smartphone devices. (HN)
• Abertay Hacksoc Wiki (Code)
• The Insecurity Industry (2021) - The greatest danger to national security has become the companies that claim to protect it. (HN)
• Canonicalization Attacks Against MACs and Signatures (2021) (Lobsters)
• Elkeid - Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.
• One Bad Apple (2021) (HN)
• Sniptt - The secret manager built for developers. (Code) (CLI)
• go-tuf - Go implementation of The Update Framework (TUF), a framework for securing software update systems.
• Another free CA as an alternative to Let's Encrypt (2021) (HN)
• RBAC like it was meant to be (2021)
• Secure Software Development Fundamentals Courses (Code)
• Blocksec CTFs - Curated list of blockchain security Capture the Flag (CTF) competitions.
• Vaultwarden - Unofficial Bitwarden compatible server written in Rust.
• OWASP Top 10 2021 - Nonprofit foundation that works to improve the security of software. (Code) (HN)
• Secure Mobile Networking Lab (GitHub)
• Microsoft ruined passwords, now aims for a passwordless future (2021) (HN)
• Machine Learning Security / Adversarial Machine Learning PhD seminar (2021) (Web)
• PASETO: Platform-Agnostic Security Tokens - Everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards.
• Salus (Security Automation as a Lightweight Universal Scanner) - Tool for coordinating the execution of security scanners.
• LimeLighter - Tool for generating fake code signing certificates or signing real ones.
• cocert - Split and distribute your private keys securely amongst untrusted network.
• Awesome Google VRP Writeups
• Open Source Security Foundation (OpenSSF) (GitHub) (Reviews)
• Allstar - GitHub App installed on organizations or repositories to set and enforce security policies.
• WAFW00F - Web Application Firewall Fingerprinting Tool.
• Analyzing the Mario Themed Malware (2021)
• Keyscope - Key and secret workflow (validation, invalidation, etc.) tool built in Rust.
• SpectralOps - Automated Code Security for Modern Teams. (GitHub)
• sizeof(cat)
• Profian - Proven security for the untrusted cloud.
• Security is a layered approach. No single layer alone can protect us. (2021)
• Trustworthy Computing in 2021 (HN)
• Terrascan - Static code analyzer for Infrastructure as Code.
• SLSA (Supply-chain Levels for Software Artifacts) - Security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. (Code)
• Modern security stack (2021)
• Notary - Aims to make the internet more secure by making it easy for people to publish and verify content.
• Sigstore - New standard for signing, verifying and protecting software. (GitHub) (Web Code)
• Rekor - Fulfills the signature transparency role of sigstore's software signing infrastructure.
• Keylime - Bootstrap & Maintain Trust on the Edge / Cloud and IoT. (Code)
• fulcio - Sigstore WebPKI.
• Trojan Source Attacks - Attack the encoding of source code files to inject vulnerabilities. (HN) (Code)
• Ask HN: Is the ISO 27001 certification worth it? (2021)
• CNCF Security Technical Advisory Group - Secure access, policy control, privacy, auditing, explainability and more.
• Klaro - Privacy and security tool for your website. (Code) (Comment)
• Never update anything (2021) (Lobsters) (HN)
• Nym Privacy Platform - Provides strong network-level privacy against sophisticated end-to-end attackers, and anonymous transactions using blinded, re-randomizable, decentralized credentials. (Web)
• Living Off Trusted Sites - List of legitimate domains that can be abused by attackers. (Tweet)
• I hate password rules (2021) (HN)
• TruffleHog - Find credentials all over the place. (Web)
• trufflehog3 - Enhanced version of the truffleHog scanner.
• Accidentally a hacker (2020)
• How Monzo protects its most sensitive secrets from the most determined attackers (2021) (HN)
• Web Attack Cheat Sheet
• Software security paper list
• LunaSec - End-to-end security system designed to protect your application by transparently encrypting sensitive data, from browser to database. (Docs)
• certinfo - Print x509 certificate info.
• Notes and writeups on CTFs
• ZLint - X.509 Certificate Linter focused on Web PKI standards and requirements.
• Exploiting the Qualcomm NPU (neural processing unit) kernel driver (2021)
• In-House CA - Simple online X.509 certificate authority.
• Caido - Lightweight Web Security Auditing Toolkit.
• Personal Zero-Trust HashiCorp Vault (Tweet)
• extrude - Scan binaries for missing security features, information disclosure and more.
• Barbican - ReST API designed for the secure storage, provisioning and management of secrets, including in OpenStack environments.
• Cryptr - GUI for Hashicorp's Vault.
• Cloud Service Provider security mistakes
• ACMEd - ACME (RFC 8555) client daemon. Allows to automate X.509 certificates signing by a Certification Authority (CA).
• A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution (2021) (HN)
• Cache Poisoning at Scale (2021)
• acmetool - Automatic certificate acquisition tool for ACME (Let's Encrypt).
• My Infosec Awesome - Curated list of awesome links, resources and tools on infosec related topics.
• HubbleStack - Modular, open-source security compliance framework.
• Cyber Plumber's Handbook
• objection - Runtime Mobile Exploration.
• Inspektor - Access control layer for all your data sources. It act as gaurdian and enforces access polices to all your data sources. (Lobsters)
• wholeaked - File-sharing tool that allows you to find the responsible person in case of a leakage.
• Perfect Blue's CTF Writeups
• Awesome Real-time Communications hacking & pentesting resources
• Splunk Security Content
• Collection of macOS and iOS security resources.
• Awesome Security Hardening
• SentryPeer - Distributed list of bad actor IP addresses and phone numbers collected via a SIP Honeypot. (Web) (HN)
• Witness - Pluggable framework for software supply chain security.
• Top 10 web hacking techniques of 2021 (HN)
• Awesome Executable Packing
• Secman - Human-friendly and amazing secrets manager. (GitHub)
• My password sharing mini-project (2022) (HN)
• Never use text pixelation to redact sensitive information (2022) (HN) (Code)
• Almost every publicly available CVE PoC
• Threat Modeling: A Practical Guide for Development Teams Book
• How to Secure Anything
• Exploring content of X.509 certificates
• Medusa - CLI tool for importing and exporting Hashicorp Vault secrets.
• Security for package maintainers (2022) (Lobsters)
• Awesome Asset Discovery - Asset Discovery is the initial phase of any security assessment engagement, be it offensive or defensive.
• NSA Network Infrastructure Security Guidance (HN)
• Who's Attacking My Server? (2022) (HN)
• Keyhouse - Skeleton of general-purpose Key Management System written in Rust.
• Pouch - Secret management tool written in Swift.
• bom (Bill of Materials) - Create SPDX-compliant Bill of Materials.
• OSSF Security Tooling
• EnvKey - End-To-End Encrypted Environments. (Code)
• How we secure Monzo’s banking platform (2022) (HN)
• relic - Multi-tool and server for package signing and working with hardware security modules (HSMs).
• Trickest - Workflow-powered solution for Bug Bounty, Pentesting, SecOps.
• Secretlint - Pluggable linting tool to prevent committing credential.
• Dotenv Vault - Securely syncs secrets and app configuration across your machines, environments, and team members.
• Starbase - Graph-based security analysis for everyone.
• Random Mosaic – Detecting unauthorized physical access with beans, lentils and colored rice (2021)
• HackerOne - Hacker-Powered Security, Bug Bounties, and Pentests. (Go Client)
• Grapl - Graph platform for Detection and Response. (Code)
• PARSEC - Open-source initiative to provide a common API to hardware security and cryptographic services in a platform-agnostic way.
• SecurityZines
• Fugue - Cloud Infrastructure Security & Compliance from Code to Runtime. (GitHub)
• Curiefense - Unified, open source platform protecting cloud native applications.
• amber - Manage secret values in-repo via public key cryptography.
• secrets - Command-line tool to prevent committing secret keys into your source code.
• Certify - Automatic client and server certificate distribution and maintenance.
• IOTA Stronghold - Secret management engine written in rust.
• Package Analysis - Components to aid in the analysis of open source packages, in particular to look for malicious software.
• Teller - Secrets management tool for developers built in Go - never leave your command line for secrets. (Code)
• Awesome Cloud Security
• Awesome Cyber Security Newsletters
• Awesome Application Security Checklist
• Awesome Web Security
• Session - Onion routing based messenger. (Code)
• Software Supply-Chain Security Reading List
• Publications from Trail of Bits
• Awesome Secure Computation - Paper summary for cryptography-based secure computation papers.
• Project Zero - Team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems. (Docs and Tools)
• Hertzbleed Attack - New family of side-channel attacks: frequency side channels. (HN) (Code)
• A Roadmap to Zero Trust Architecture
• Himitsu - Secure secret storage system for Unix-like systems. It provides an arbitrary key/value store (where values may be secret) and a query language for manipulating the key store.
• Arkana - Store your keys and secrets away from your source code. Designed for Android and iOS projects.
• Google CTF
• Security best practices for small company (2022)
• Automating and Defending Nefarious Automation (2022)
• Global Security Database (Code)
• Corrupting memory without memory corruption (2022)
• Wi-Fine: it is fine to use public Wi-Fi (Lobsters) (HN)
• sget - Command for safer, automatic verification of signatures and integration with Sigstore's binary transparency log, Rekor.
• Open Source Software Secure Supply Chain Framework