The original post: /r/cybersecurity by /u/ThrillSurgeon on 2024-10-13 10:59:10.

The original post: /r/cybersecurity by /u/Rxmp on 2024-10-13 10:34:59.

I am interested about the niche of Email Analysis in Cyber Security, I have seen many roles for SPAM engineer, SPAM analyst, Email Malware analyst starting to appear. I wanted to understand what you do, how interesting the work is and if you enjoy it.

The original post: /r/cybersecurity by /u/MaximumLetter4257 on 2024-10-13 10:00:19.

im male 23 years old from italy. I already have a degree in political science but unfortunately this has never been my path. But in the end I finished my degree to make my parents happy. Now a year ago I started another degree in computer engineering and I really like it. However, I would like to learn more about cybersecurity. Any ideas where to start?

The original post: /r/cybersecurity by /u/towtoo893 on 2024-10-13 07:25:35.

The original post: /r/cybersecurity by /u/ElectroStaticSpeaker on 2024-10-13 06:46:20.

The original post: /r/cybersecurity by /u/eatsweets3232 on 2024-10-13 02:49:56.

I'm 17 and have been getting into cybersecurity, reading up and studying on it here and there. I recently searched for cybersecurity content on TikTok, and honestly, it’s crazy how many people in the comments seem to think it’s some kind of easy way to make quick money. I know for a fact that cybersecurity isn’t a walk in the park, and it’s definitely not a free money generator like people make it out to be. The same goes for computer science it takes serious effort and skill.

The original post: /r/cybersecurity by /u/Serious-Summer9378 on 2024-10-13 02:07:26.

The original post: /r/cybersecurity by /u/Rare-Action-7692 on 2024-10-13 01:56:27.

https://kdhnews.com/news/local/ransomware-presentation-answers-questions-but-raises-additional-ones/article_0348fa68-837d-11ef-979d-b369a8c7c41f.html

The original post: /r/cybersecurity by /u/Due-Student946 on 2024-10-13 01:01:08.

I'm a Cybersecurity student with previous experience in Cybersecurity. But, I have very limited idea about coding. I passed the HackerRank for Goldman after a lot of practice and recently got invited for the Superday.

But, I'm seeing a CoderPad link with my interview. What is this? Does that mean I will have to code live with an interviewer?

I'm pissing my pants to be honest. I wanted this role for a long time but coding is not my forte!

The original post: /r/cybersecurity by /u/mohusein on 2024-10-12 22:11:40.

Hi everyone,

Im trying to encrypt data in my application level and store the encrypted data in a database then decrypted when needed.

I learnt that i need to keep my keys in a secure place such as aws kms.

Here is the problem: If for any reason aws decided to lock me out of the account and i cant access the keys i will not be able to access my data.

Is there a soultion where i can keep a copy of the key locally but still use it with a service like aws kms?

Im traumatized by the idea of a third party having full control on a crusial aspect like this because last year i was locked out of my rds for like 5 days just for changing my payment details, so never again im giving any service provider such high power.

Thanks for any input.

The original post: /r/cybersecurity by /u/cyberkite1 on 2024-10-12 21:38:33.

Chinese researchers have "reportedly" cracked "military-grade encryption" using a quantum computer, marking a significant threat to global security?

The D-Wave system used in this breach targets Substitution-Permutation Network (SPN) algorithms commonly found in sectors like military and finance.

While no specific passcodes were cracked, this breakthrough suggests that quantum computing is rapidly advancing beyond traditional encryption defenses.

The breakthrough hinges on the quantum annealing algorithm, leveraging quantum tunneling effects. Unlike traditional algorithms, which explore every possible solution path, this method allows quantum systems to 'tunnel' through computational barriers to reach solutions faster. Researchers also integrated classical algorithms like Schnorr and Babai for a hybrid approach to cracking encryption.

Does this development present a potential leap in quantum computing applications, particularly in cryptography? As quantum hardware evolves, encryption methods may need urgent reconsideration to protect sensitive information?

It is now urgent that Google , Microsoft and Apple and other major western technology companies to act in switching to quantum hardened encryption but to ensure is still strong in standard computers.

Articles:

Interesting Engineering: https://interestingengineering.com/science/china-military-encryption-hacking-quantum-system

Quantum Insider: https://thequantuminsider.com/2024/10/11/chinese-scientists-report-using-quantum-computer-to-hack-military-grade-encryption/

China SCMP paper: https://www.scmp.com/news/china/science/article/3282051/chinese-scientists-hack-military-grade-encryption-quantum-computer-paper

The original post: /r/cybersecurity by /u/flacao9 on 2024-10-12 17:30:48.

The original post: /r/cybersecurity by /u/itcsps4 on 2024-10-12 17:26:42.

Is there a difference? I'm on the job hunt and I noticed there are Enterprise Security roles popping up that to me look are similar (or the same) as a Security Engineer role.. is this the new evolution of the "Security Engineer" or am I missing something?

The original post: /r/cybersecurity by /u/ka2er on 2024-10-12 16:46:25.

How do you find quality profile especially in France (east-north paris aera) ? I have a postition open and I would be interested to hear how do you chase for the right candidate ? which method do you use if company is not listed on cac40 index or cyber specialist ?

Any advice or real life experience very appreciated.

The original post: /r/cybersecurity by /u/madhanmaaz on 2024-10-12 16:24:00.

The original post: /r/cybersecurity by /u/SadCryptographer7976 on 2024-10-12 16:21:54.

The original post: /r/cybersecurity by /u/wisdom_of_east on 2024-10-12 12:36:21.

Please consider sharing your insight on my project...

🔧 GitHub Repository [Oblivious SRP Library]

Explore the repo and README to get started.

💡 Feedback Request [GitHub Discussions], or email me directly at by clicking here! Also, everyone is welcome to post their feedback in the comments or message me on Reddit itself.

Greetings,

I’m excited to announce the release of my dev project called Oblivious SRP, an evolution of the already highly secure Secure Remote Password (SRP) protocol. SRP is well-known for its use of zero-knowledge password proof, meaning the user’s password is never stored anywhere—not on the client, not even on the server. In SRP, passwords are never even sent over the network, not even in encrypted form! This makes SRP far more secure than other password-based systems. Hence, many major players like Apple and Skiff-mail make extensive use of SRP protocol in their products.

What makes SRP so secure?

• No Password Storage: SRP doesn’t store your password, not even in an encrypted form. Instead, the password is transformed into a verifier that the server stores. The server uses this verifier to authenticate the user without ever learning the actual password.
• No Password Transmission: During authentication, the user's password is never transmitted, not even in encrypted form. Instead, a mathematical proof is exchanged, allowing the server to verify the password without knowing it.
• This makes SRP immune to common threats like password leaks from server breaches, phishing, and replay attacks.

But there’s still a potential vulnerability…

While SRP is extremely secure, it does store a verifier on the server. If a server becomes malicious, it can try to use this verifier to run dictionary attacks (guessing passwords until it finds the right one).

Introducing Oblivious SRP:

Oblivious SRP takes things up a notch by introducing Oblivious Pseudo-Random Functions (OPRF) and multi-server support to close these gaps:

• OPRF: Instead of storing the verifier directly, the verifier is split into a private and a public component. The public verifier is generated via hashing OPRF evaluations with the private verifier, where the OPRF evaluations are username-rate-limited, making dictionary attacks nearly impossible.
• Multi-Server Model: Oblivious SRP also supports a multi-server approach, where attackers need to compromise multiple servers to perform a successful attack. This makes password guessing far more complex and increases overall security.

Enhanced Security:

With Oblivious SRP, attackers would need to break into all the servers, bypass their rate-limitations and acquire real-time responses from each one to even begin trying to guess a password. The extra layers of defense significantly reduce the risks of traditional SRP while maintaining its core strengths.🔧

The original post: /r/cybersecurity by /u/MethodPleasant6478 on 2024-10-12 12:22:15.

In large enterprises, how is authentication and authorization typically managed across multiple applications (e.g., more than 20)? It doesn't seem efficient for each application to have its own isolated system for managing users, roles, and permissions. What strategies are commonly used to centralize user profiles, roles, and authorities across different systems? How do companies avoid redundancy and maintain security at scale?

The original post: /r/cybersecurity by /u/eatfruitallday on 2024-10-12 08:16:23.

The original post: /r/cybersecurity by /u/ProofLegitimate9990 on 2024-10-12 08:04:50.

Work in DFIR for a large UK company, just trying to gauge who should be carrying out searches in purview/ediscovery (sec/admin/HR/legal).

Officially our process is managers go to HR who fill in a form, they send over to us to assess the scope and then gets signed off by multiple sec managers. But this only seems to be for significant investigations.

I’ve noticed in our audit logs that HR seem to run their own searches with some pretty broad parameters that don’t sit well with me.

Thinking about it though I’m not sure who this should actually be on though, seems like an IT/admin function but think there’s a case for forensic disciplines to be applied. Also I’m not sure HR can be considered truly impartial if they are allowed to do it themselves.

Just curious how it’s set up at your organisation?

The original post: /r/cybersecurity by /u/JohnFargeWest789 on 2024-10-11 22:35:02.

I've been pretty deep with windows pki and have a rough idea of what ciphers, protocols and algorithms are. I want to expand my skill set to HSMs and want to expand my knowledge on cryptography.

I'm after a book or two that explains cryptography well for people are are not CS grads or mathematicians!

A book where I can understand the current world and the post quantum world, whenever that may be.

Any suggestions?

The original post: /r/cybersecurity by /u/Admirable_Zone_5212 on 2024-10-11 21:38:42.

Hey everyone!

I recently received an offer from Amazon for a Security Engineer internship and have an interview with Microsoft for a Security Assurance Internship coming up. If I end getting the Microsoft offer, which do you think would be better in the long term, and why? I’d love to hear any insights or advice.

(Both internships are in Seattle, WA)

Thanks in advance!

View Poll

The original post: /r/cybersecurity by /u/ZYADWALEED on 2024-10-11 21:16:45.

Hey everyone, I recently started as a Junior SOC Engineer about a month ago, I'm learning a lot on the job and making progress but kind of slowly, I'm also feeling a bit overwhelmed. Before this role, I was mainly focusing on SOC Analyst tasks, so most of my knowledge is in analysis.

Now, in my new position, my daily tasks include working with SOAR, ticketing systems, and SIEM

What areas should I prioritize learning to become better at the engineering aspects of the role? Also, are there any good courses or resources you’d recommend?

Thanks in advance for any advice!

The original post: /r/cybersecurity by /u/Exact-Salt7504 on 2024-10-11 19:37:26.

Hi there,

I have been tasked with aligning our company's policies with ISO 27001: 2022.

There is certain control areas where we are not compliant, but would like to put it into policy, to then drive the compliance. We would likely accept this is as an enterprise risk.

Could anyone provide suggestions of the language we could use in our policy to reflect that we are moving towards the implementation of the control && also address the ISO requirement?

My initial thoughts include:

• The organisation will strive to implement control XYZ...
• Where feasible, the organisation will implement XYZ...

I would appreciate any feedback (e.g. your experience with how this goes in an audit, and any suggestions around suitable language).

The original post: /r/cybersecurity by /u/mn540 on 2024-10-11 18:29:17.

I found out the largest password list is about 9.9B password. But what is the largest username/password combination list?