Set up Developers with separate local admin accounts [migrated]

At work, our developers are local administrators on their Windows 10 machine. This is risky since we want to somewhat mitigate risks such as drive-by-download, but we also want productivity and some degree of freedom so we don’t want to fo… Continue reading Set up Developers with separate local admin accounts [migrated]

Best way to apply least privilege to one specific jar application on Linux

Let’s say I have some java application running on the host and do different things, and now I have built a jar that captures network traffic. While reading What’s a least-privilege way to allow node.js to access network adapters on Linux?,… Continue reading Best way to apply least privilege to one specific jar application on Linux

Unable to write to C:\ folder when logged in through BUILTIN\Users account | Windows Privilege Escalation | Unquoted Service Path

I have made an auto-start service from user (who is only in Administrators group and not Users) command prompt which is vulnerable to Unquoted Service Path.

Executable path: C:\Program Files\A Subfolder\B Subfolder\C Subfol… Continue reading Unable to write to C:\ folder when logged in through BUILTIN\Users account | Windows Privilege Escalation | Unquoted Service Path

Netsparker’s Weekly Security Roundup 2018 – Week 05

Table of Content

Why You Should Be Careful What You Put Into Your composer.json File
Why You Need to Use a Package Manager

Composer Package Manager Can Expose Sensitive Information
The Principle of Least Privilege Limits Exploitation Opportunities

Continue reading Netsparker’s Weekly Security Roundup 2018 – Week 05

How does separating concerns into separate processes (without enforcement) help security?

In this talk on privilege separation, Theo de Raadt explains that OpenBSD’s ntpd has a master process which calls settimeofday(), a DNS process responsible for querying DNS servers, and an NTP protocol process which is respon… Continue reading How does separating concerns into separate processes (without enforcement) help security?