Threat Modeling is the process of building and analyzing representations of a system to highlight concerns about security characteristics.
Threat Modeling is a pro-active and iterative approach for identifying security issues and reducing risk. The output of a threat modeling exercise is a list of threats - or even better - risks, that further inform decisions in the continued operation of the system. This process can be performed prior to any code written or infrastructure deployed. This makes it very efficient in identifying potential threats, vulnerabilities and risks.
Large data-hungry corporations dominate the digital world but with little, or no respect for your privacy. Migrating to open-source applications with a strong emphasis on security will help stop corporations, governments, and hackers from logging, storing or selling your personal data.
Yopass is a project for sharing secrets in a quick and secure manner*. The sole purpose of Yopass is to minimize the amount of passwords floating around in ticket management systems, Slack messages and emails. The message is encrypted/decrypted locally in the browser and then sent to yopass without the decryption key which is only visible once during encryption, yopass then returns a one-time URL with specified expiry date.
There is no perfect way of sharing secrets online and there is a trade off in every implementation. Yopass is designed to be as simple and "dumb" as possible without compromising on security. There's no mapping between the generated UUID and the user that submitted the encrypted message. It's always best send all the context except password over another channel.
Messages can only be viewed once. Message can self-destruct automatically. No accounts or registration is required.
Has CLI functionality built in.
Uses memcached or redis as its back-end.
Public instance: https://yopass.se/
CORS (Cross-Origin Resource Sharing) is hard. It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. Since then, it's been a constant source of development; adding features, improving defaults, and papering over past mistakes without breaking too much of the web.
Anyway, I figured I'd write down pretty much everything I know about CORS, and to make things interactive, I built an exciting new app.
A password manager/generator that takes a master password, a URL, a username, and optionally a serial number (for when you have to change passwords) and (re)generates the password for you. Requires no database or third party storage - the right password is always generated for you. Desktop versions, browser plugins, and a cli tool.
No notepad feature, so no storing your 2fa recovery codes there.
The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access).
This project demonstrates how you can create a rogue cell tower detector using a Raspberry Pi and a SIM 900 module. The detector can identify rogue towers and triangulate their location. The demonstration uses a SIM 900 GSM module to fingerprint each cell tower and determine the signal strength of each tower relative to the detector.
Tools, scripts and tips useful during Penetration Testing engagements.
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
The CSRC provides a searchable database of resources on the topic of counter-surveillance, with a focus on targeted surveillance against people who have things to hide. We want to help anarchists and other rebels acquire a practical understanding of the surveillance threats they may face in their struggles and in their lives. We prefer resources written by friends and understandable without prior technical knowledge.
A curated checklist of tips to protect your digital security and privacy.
A smart solution to the problem of passwords. Cloverleaf generates passwords on demand, using the name of the app you're making a password for and a master password to derive a passcode. Enter those two things and you don't need to store the passcode because you can re-generate it whenever you want.
Can be installed as a native app and used offline.
The HTTP response headers that this site analyses provide huge levels of protection and it's important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.
Script that will detect if a stranger is trying to use your laptop or if a stranger/authorized driver is trying to drive your car. This script will detect the face, and send you an email if new user is not identified.
Repository containing useful links for all things Physical Security.
A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys.
chasquid is an SMTP (email) server with a focus on simplicity, security, and ease of operation.
It sends and receives email as a typical MTA (for example, can be used instead of Postfix or Exim), and it is designed mainly for individuals and small groups.
It's written in Go, and is open source under the Apache license 2.0.
A wireless auditing tool implemented as a shell script that uses other tools to do the job.
A site that documents the practice of letterlocking - cleverly folding, cutting, and sealing letters in the 17th century for tamper evidence and security.
Ultimate Internet of Things/Industrial Control Systems reconnaissance tool.
Requires an API key for SHODAN.
Teaching the server tech you need for development and production. Eliminating the frustration of server configuration. Databases, configuration management, containers, proxies, security, PHP, and much more.