If you're using #GnuTLS please note that GnuTLS defaults to weak security profile:

"The message authenticity security level is of 64 bits or more, and the certificate verification profile is set to GNUTLS_PROFILE_LOW (80-bits)."

This means for example that Diffie-Hellman group size of 1024-bits is allowed. This was deemed insufficient already 10 years ago. See https://weakdh.org/

This issue will be remedied in future GnuTLS release. Meanwhile the fix is to inject %PROFILE_MEDIUM as part of the priority string, for example "NORMAL:foo" becomes "NORMAL:%PROFILE_MEDIUM:foo". See https://gnutls.org/manual/html_node/Priority-Strings.html for details.

#insecuredefaults #cybersecurity #infosec #development

Be mindful of python-daemon default umask. For some unfathomable reason the default umask is 0. This leads to newly created files having default permissions of -rw-rw-rw (666) and directories rwxrwxrwx (777), or “world writable”. This can easily lead to #privilegeescalation vulnerabilities if the daemon is running as privileged user.

This default insecure umask was direct root cause of CVE-2017-9450 and CVE-2022-38170. #infosec #insecuredefaults #vulnerability #python

TFW when you find out there IS logging of specific actions in M365 that would have been incredibly useful in proving WITHOUT A DOUBT that thing "X" happened or did NOT happen.

And it's a security thing.

And the default for said logs is OFF.

And the only way to know they CAN be enabled is to find the Powershell command and options to enable them.

Why, why on earth Microsoft, would we NOT want to know these things? They are not voluminous events, but super important when they happen.

Would much rather have filtered them OUT rather than missing them 'this time'.

Setting is now ON.

#insecureDefaults