SecurityCentric is your source for Blog Aggregation in the Security industry
Nicolas Lidzborski, Principal Engineer and Jaishankar Sundararaman, Sr. Director of Engineering, Google WorkspaceIn February, we expanded Google Workspace client-side encryption (CSE) capabilities to include Gmail and Calendar in addition to Drive, Docs, Slides, Sheets, and Meet.CSE in Gmail was designed to provide commercial and public sector orga...
More and more often, on all levels of background investigations I see applicants who fail to disclose required information. Some attribute it to oversight and failing to thoroughly read the questions and others claim an unfamiliarity with filling out government forms. Regardless, all applicants must check the box on the
In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email.From "Capt Richard Bejtlich - Real Time Chief" Mon Sep 6 ...
This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third part...
Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning, urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms:The search for scientific bases for confronting problems of...
I want to make a note of the numbers of words and pages in my core security writings.The Tao of Network Security Monitoring / 236k words / 833 pagesExtrusion Detection / 113k words / 417 pagesThe Practice of Network Security Monitoring / 97k words / 380 pagesThe Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pagesThe Best of TaoSecurity Blog, Vo...
Julie Qiu, Go Security & Reliability, and Roger Ng, Google Open Source Security TeamSecure your dependenciesits the new supply chain mantra. With attacks targeting software supply chains sharply rising, open source developers need to monitor and judge the risks of the projects they rely on. Our previous installment of the Supply chain security ...
Anthony Weems, Information Security Engineer2022 was a successful year for Google's Vulnerability Reward Programs (VRPs), with over 2,900 security issues identified and fixed, and over $12 million in bounty rewards awarded to researchers. A significant amount of these vulnerability reports helped improve the security of Google Cloud products, which...
Posted by Anuj Goyal, Product Manager, Chrome Browser Browser extensions, while offering valuable functionalities, can seem risky to organizations. One major concern is the potential for security vulnerabilities. Poorly designed or malicious extensions could compromise data integrity and expose sensitive information to unauthorized access. Moreover...
A few weeks ago, security clearance holders started getting emails that looked like they came from the Defense Counterintelligence and Security Agency (DCSA) that referenced the collection of information needed from them on an SF-86F (which does not exist) or SF86. In reality, it is a sophisticated malicious phishing email
Asra Ali, Razieh Behjati, Tiziano Santoro, Software EngineersEvery day, personal data, such as location information, images, or text queries are passed between your device and remote, cloud-based services. Your data is encrypted when in transit and at rest, but as potential attack vectors grow more sophisticated, data must also be protected during ...
Tams Koczka, Security EngineerIn 2020, we integrated kCTF into Google's Vulnerability Rewards Program (VRP) to support researchers evaluating the security of Google Kubernetes Engine (GKE) and the underlying Linux kernel. As the Linux kernel is a key component not just for Google, but for the Internet, we started heavily investing in this area. We ...
A large number of the Department of Energy (DOE) security clearance appeals cases involve denials under Guideline G Alcohol Consumption. As such, the DOE has a staff of psychologists on hand that evaluate security clearance applicants for various psychological disorders, to include Alcohol Use Disorders (AUD). Just last month, the
I have a long history with the Techno Security Conference, thanks to my mentor and friend "Uncle" Jack Wiles. At one point, over 10 years ago, I was the conference's youngest ever keynote speaker. It's with great honor I return again this year to deliver a technical session on Zero Trust.
Amy Ressler, Chrome Security Team on behalf of the Chrome VRP For 13 years, a key pillar of the Chrome Security ecosystem has included encouraging security researchers to find security vulnerabilities in Chrome browser and report them to us, through the Chrome Vulnerability Rewards Program. Starting today and until 1 December 2023, the first s...
Posted by Ashish Pujari, Chrome Security Team Introduction Chrome is trusted by millions of business users as a secure enterprise browser. Organizations can use Chrome Browser Cloud Management to help manage Chrome browsers more effectively. As an admin, they can use the Google Admin console to get Chrome to report critical security events to t...
Back in 2014, the US Investigations Services LLC (USIS) was the largest provider of personnel security investigations to the U.S. Government.That was until a whistleblower reported they were improperly submitting investigations to the Office of Personnel Management (OPM) without first performing a required review of the cases, a practice known
Vincent Winstead, Technical Program ManagerIts Google CTF time! Get your hacking toolbox ready and prepare your caffeine for rapid intake. The competition kicks off on June 23 2023 6:00 PM UTC and runs through June 25 2023 6:00 PM UTC. Registration is now open at g.co/ctf.Google CTF gives you a chance to challenge your skillz, show off your hacktas...
David Kluge, Technical Program Manager, and Andy Warner, Product ManagerNobody likes preventable site errors, but they happen disappointingly often. The last thing you want your customers to see is a dreaded 'Your connection is not private' error instead of the service they expected to reach. Most certificate errors are preventable and one of the b...
Brandon Lum and Mihai Maruseac, Google Open Source Security TeamToday, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the software industry to understand the software supply chain. In collaboration with Kusari, Purdue Uni...
Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for securing connections to websites. The Chrome Root Program was announced in September 2022. If you missed it, dont worry - well give you a quick summary below! Chrome Root Program: TL;DR Chrome uses digital cer...
In applying theWhole-Person Concept, an administrative judge or adjudicator must evaluate an applicants eligibility for a security clearance by considering the totality of the applicants conduct and all relevant circumstances. You will see this verbiage written in all of the case summaries by Defense Office of Hearing and Appeals judges.
Posted by Sarah Jacobus, Vulnerability Rewards Team As technology continues to advance, so do efforts by cybercriminals who look to exploit vulnerabilities in software and devices. This is why at Google and Android, security is a top priority, and we are constantly working to make our products more secure. One way we do this is through our Vulne...
Dongge Liu, Jonathan Metzman and Oliver Chang, Google Open Source Security TeamGoogles Open Source Security Team recently sponsored a fuzzing competition as part of ICSEs Search-Based and Fuzz Testing (SBFT) Workshop. Our goal was to encourage the development of new fuzzing techniques, which can lead to the discovery of software vulnerabilities and...
Increasingly I come across background investigations where the applicant fills out the Questionnaire for National Security Positions (SF-86) and they fail to list required information in the police record section of the form. As a result, the investigation is conducted, information is found that contradicts the applicants answers to the
Juan Jos Lpez Jaimez, Security Researcher and Meador Inge, Security EngineerToday, we are announcing Buzzer, a new eBPF Fuzzing framework that aims to help hardening the Linux Kernel.What is eBPF and how does it verify safety?eBPF is a technology that allows developers and sysadmins to easily run programs in a privileged context, like an operating ...
Silvia Convento, Senior UX Researcher, Court Jacinic, Senior UX Content Designer, Becca Shareff, User Experience ResearcherIn recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for site...
Appu Goundan, Google Open Source Security TeamToday, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (ruleset) that makes it simpler and more secure to build container images with Bazel. This effort was a collaboration we had with Aspect and the Rules Authors Special Interest Group. In this post, we...
By: Arnar Birgisson and Diana K Smetters, Identity Ecosystems and Google Account Security and Safety teamsStarting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in.Passkeys are a more convenient and safer alternative to passwords....
Companies welcome input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking Location-tracking devices help users find personal items like their keys, purse, luggage, and more through crowdsourced finding networks. However, they can also be misused for unwanted tr...
Posted by Rae Wang, Director of Product Management (Android Security and Privacy Team) Unlike other mobile OSes, Android is built with a transparent, open-source architecture. We firmly believe that our users and the mobile ecosystem at-large should be able to verify Androids security and safety and not just take our word for it. Weve demonst...
There Are Too Many Generals and Admirals, a Senator Stalling Military Promotions Argues. Military.com article. Pull quote: "I had not been aware that it was a controversial view that our military needs officers in charge of the 5th Fleet or the 7th Fleet," Warren said, alluding to two of the nominees caught in Tuberville's hold. "If the senator fro...
Today, the DOTs Federal Railroad Administration (FRA) published on their website a new safety advisory dealing with the operation of long trains. The instructions to railroad operators will not become official until they are published in the Federal Register, probably next week but, since these are non-regulatory instructions, that delay is not mat...
Today, CISA published a 60-day information collection request (ICR) notice in the Federal Register (88 FR 25670-25672) for Request for Comment on Secure Software Development Attestation Common Form. This is supporting requirements outlined in OMB Memorandum M-22-18 for suppliers of software for the federal agencies to attest to conformity with secu...
Today, CISAs NCCIC-ICS published a medical device security advisory for products from Illumina. Advisories Illumina Advisory - This advisory describes two vulnerabilities in the Illumina Universal Copy Service. For more details about the advisory, including a down-the-rabbit-hole look at research networks, see my article at CFSN Detailed Anal...
Yesterday, Rep Latta (R,OH) was added as a cosponsor to HR 1623, a bill that would add certain commercial propane storage facilities to the list of facilities excluded from the reporting requirements of the Chemical Facility Anti-Terrorism Standards (CFATS) program. Latta is a member of the House Energy and Commerce Committee to which this bill was...
Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety) Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions of installed apps each day across billions of Android devices to keep users safe from threats l...
Yesterday, the OMBs Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the National Science Foundation on NSF CyberCorps Scholarship for Service Program. According to the listing for this rulemaking in the Fall 2022 Unified Agenda: NSF is finalizing amendments to the CyberCorps Scholarship for Serv...
Yesterday, with both the House and Senate in session, there were 102 bills introduced. One of those bills may receive additional attention in this blog: HR 2875 To direct the North American Electric Reliability Corporation, in consultation with the Secretary of Energy, the Federal Energy Regulatory Commission, Regional Transmission Organizations, ...
Used Routers Often Come Loaded With Corporate Secrets. Wired.com article. Pull quote: One of the big concerns I have is that, if somebody evil isnt doing this, it's almost hacker malpractice, because it would be so easy and obvious, Camp says. Unfortunately this research needs to be re-one and republished periodically because this is too easy to ex...
Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version of SLSA at Google has shown that its crucial to warding off tampering and keeping softwa...
Yesterday, the OMBs Office of Information and Regulatory Affairs (OIRA) announced, that it had received a notice of proposed rulemaking from DHS on Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Waiver for Mobile Driver's Licenses. According to the Fall 2022 Unified Agenda list...
Yesterday, with both the Senate and House in session, there were 106 bills introduced. One of those bills may receive additional attention in this blog: HR 2866 To amend the Homeland Security Act of 2002 to establish Critical Technology Security Centers in the Department of Homeland Security to evaluate and test the security of critical technology...
'High bio-hazard risk' in Sudan after laboratory seized, WHO says. MSN.com article. Pull quote: There is a "high risk of biological hazard" in the Sudanese capital Khartoum after one of the warring parties seized a laboratory holding measles and cholera pathogens and other hazardous materials, the World Health Organization said on Tuesday. Patient ...
Today, the House Transportation and Infrastructure Committee announced a markup hearing for HR 2741, the Coast Guard Authorization Act of 2023. The Committee will consider substitute language for the bill that adds a number of new sections. The hearing web page currently lists twenty amendments that will be considered during the markup. I have not...
Today, CISAs NCCIC-ICS published two control system security advisories for products from SCADA-LTS and Keysight. Advisories SCADAS-LTS Advisory - This advisory discusses a cross-site scripting vulnerability in the SCADA-LTS open-source HMI. Keysight Advisory - This advisory describes a deserialization of untrusted data vulnerabilities in the Ke...
Yesterday, the Chemical Safety Board announced the publication of their final report on the investigation of the fire and chlorine gas release at the Bio-Lab manufacturing facility in Westlake, LA immediately following the passage of Hurricane Laura in August 2020. The incident was initiated when the roof was blown off of a portion of the plant in ...
The Supreme Court is about to hear a landmark online threats case. TheVerge.com article. Pull quote: But in part because of the internets ubiquity and its norms of communication, the case has broad implications that make many civil liberties advocates uneasy. The case has drawn supporting briefs from the American Civil Liberties Union, the Electron...
- Welcome!
- SecurityCentric aggregates blogs for the Security industry.
- Custom Feeds
- Add any RSS feed to the information you read daily.
- Blocked Feeds
- Block feeds to remove blogs you’re not interested in.
- Account Settings
- Customize the site by adding or removing feeds.
Don’t have an account yet?
- Customize your settings
- Edit how your blog displays
- Add or remove blogs you read. Sign Up.
About Us
SecurityCentric is your source for all your Security news.
Have a Suggestion for Us?
|
Know of a Security blog that we're missing? Let us know!
|
Share SecurityCentric.com
| 
