Information Security (InfoSec)



Canary — know when it matters


Tools, Software, Products

Authy | Two-factor Authentication (2FA) App & Guides

FreeOTP – Google Search (2FA)

burp suite – Google Search


InsightAppSec | Rapid7

rubber ducky – Google Search

wifi pineapple – Google Search

Acunetix Vulnerability Scanner: Web Application Security

low orbit ion cannon – Google Search


metasploit – Google Search



Useful Resources


XSS (Cross Site Scripting) Prevention Cheat Sheet – OWASP
CheatSheetSeries/ at master · OWASP/CheatSheetSeries
CheatSheetSeries/ at master · OWASP/CheatSheetSeries



ACORN | Australian Cybercrime Online Reporting Network

GCSB – Home


ASD Australian Signals Directorate

CISA | Homeland Security


Digital Rights Watch


Education, Reading, Learning


owasp crs – Google Search

nist cyber security framework – Google Search

cyber security framework – Google Search


Category:Vulnerability Scanning Tools – OWASP

EFF: Surveillance Self-Defense | Tips, Tools and How-tos for Safer Online Communications


Terminology and Stuff To Know

software composition analysis – Google Search

supply chain attacks – Google Search

giac gssp – Google Search

insider threat – Google Search

insider threat (canary) – Google Search

https ssl tls hsts – Google Search

SNI – Google Search

supply chain hack – Google Search

remote access tool (rat) – Google Search

sim swapping – Google Search

chain of attack – Google Search

remote access tool (rat) attack – Google Search

exif data – Google Search

tls public key pinning – Google Search

security ttp – Google Search

layer 3 security at DuckDuckGo

layer4 security at DuckDuckGo

layer 5 security at DuckDuckGo

network security layers at DuckDuckGo

network layers 8 at DuckDuckGo

security ttp – Google Search

verified office access – Google Search

trust but verify – Google Search

phishing and watering hole attacks – Google Search

dnssec at DuckDuckGo

cors at DuckDuckGo

dnssec at DuckDuckGo

webauthn at DuckDuckGo

domain fronting at DuckDuckGo

dns hijacking – Google Search

safe frames – Google Search

tls – Google Search

man on the side injection – Google Search

account take over (ato) – Google Search

cis hardening – Google Search

fido2 – Google Search

webauthn – Google Search

advanced persistent threat – Google Search

acm active countermeasures – Google Search

business email compromise (BEC) also sometimes known as “CEO Fraud” or “whaling” – Google Search

catphishing at DuckDuckGo

2fa and mfa at DuckDuckGo

fuzz testing at DuckDuckGo

csrf at DuckDuckGo

dns caa at DuckDuckGo

sub resource integrity at DuckDuckGo

csp at DuckDuckGo

hsts at DuckDuckGo

dnssec at DuckDuckGo

insecure direct object reference at DuckDuckGo

buffer overflow vulnerability at DuckDuckGo

zero trust at DuckDuckGo

honeypot at DuckDuckGo

xss and persistent at DuckDuckGo

remote access trojans at DuckDuckGo

sim swapping at DuckDuckGo

network security lateral movement at DuckDuckGo

SQL injection attacks: A cheat sheet for business pros – TechRepublic

Insecure direct object reference (Account enumeration) – Google Search

bits of entropy at DuckDuckGo

DNS poisoning.

  • Smart coffee maker on home network. Some gets access to it (open scan of network). Get your wifi password. Get into your router. They setup a fake site for Facebook or your bank. Poison the DNS in your router (e.g. point -> You login as normal and…. they have your password.
  • See 

SPF – Authorize email senders with SPF – G Suite Admin Help
spf record dns email (only mu server can send email) – Google Search
verify email sender identity – Google Search

TOTP app – Google Search
u2f vs 2fa vs otp – Google Search
U2F – Google Search

certificate transparency monitoring – Google Search


Passwords & 2FA

Pretty Good Password Generator –

National Cyber Security Centre – “Passwords, passwords everywhere” (blog post)

Password expiration is dead, long live your passwords | TechCrunch





uBlock Origin

EFF Privacy Badger







People in InfoSec

Jayson E. Street


Good Reads

Top Picks

What I Learned Trying To Secure Congressional Campaigns (Idle Words)


Stuff that needs sorting

DLA Piper GDPR data breach survey: February 2019 | Insights | DLA Piper Global Law Firm

CLARK | Cybersecurity Library


cyber security before, during and after attack – Google Search

ModSecurity: Open Source Web Application Firewall

ctf security for beginners – Google Search

CTF365 – Capture The Flag | Security Training Platform

Cyber Challenge Australia

Capture The Flag (CTF ) – Code Like A Girl

Encryption software to secure cloud files | Boxcryptor

11 Best PHP Code Security Scanner to Find Vulnerabilities

Security Vulnerabilities Detected by RIPS

Community Edition | SonarSource

Sven Morgenroth, Netsparker – Paul’s Security Weekly #584 – YouTube

Never Pass Untrusted Data to Unserialize in PHP | Netsparker — the Internet’s Fastest, Privacy-First DNS Resolver

prtg message software monitoring – Google Search

The 21 biggest data breaches of 2018 | Business Insider

Mozilla – *privacy not included

Govt pushes Flash, Java, web ad blocks in revised infosec manual – Security – iTnews

HTTPS Is Easy!

2-factor authentication may be hackable, expert says

One of the West’s biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries | Business Insider

14 Best Open Source Web Application Vulnerability Scanners [Updated for 2018]

People older than 65 share the most fake news, a new study finds – The Verge

damn vulnerable web app – Google Search

DVWA – Damn Vulnerable Web Application

Authy | Two-factor Authentication (2FA) App & Guides

Bit Discovery

type juggling owasp – Google Search

Government shutdown: TLS certificates not renewed, many websites are down | ZDNet

For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching

T-Mobile, Sprint, and AT&T Are Selling Customers’ Real-Time Location Data, And It’s Falling Into the Wrong Hands

10 GitHub Security Best Practices | Snyk

StopSIMCrime | Let’s make mobile carriers stop!

NIST on Privileged Access Management: Secure the Keys to your Kingdom – The LastPass Blog

How Much of the Internet Is Fake?

Weekly Update 122 (and Lenovo P50)

security asset management – Google Search

phywical office awareness – Google Search

google maps location sharing – Google Search

web application hacker’s handbook – Google Search

browser hackers handbook – Google Search

Access via public WiFi – Man in the middle – Reset main account passwords – Google Search

CRLF Injection Into PHP’s cURL Options – TomNomNom – Medium

The curious case of the Raspberry Pi in the network closet

WiGLE: Wireless Network Mapping

dns logs – Google Search

It’s Time To Audit All The Extensions You’ve Installed On Your Browser | Gizmodo Australia

Analyzing a Week of Blocked Attacks

Home network/wifi segmentation – Google Search

home network security – Google Search

why unique passwor.d password stuffing from people operating community websites – Google Search

Don’t Toss That Bulb, It Knows Your Password | Hackaday

Pwn the LIFX Mini white – Limited Results

googling help numbers that are a scam – Google Search

Google releases Chrome extension that alerts users of breached passwords | Ars Technica

metasploit – Google Search

Photo Location & Online EXIF Data Viewer – Pic 2 Map

darkcomet rat – Google Search

lan turtle – Google Search

nmap – Google Search

Facebook Is Tracking You! Here’s How to Stop It

uBlock Origin – Chrome Web Store

Privacy Badger | Electronic Frontier Foundation

Use Windows Event Forwarding to help with intrusion detection (Windows 10) | Microsoft Docs

windows event log forwarding – Google Search

Using Gmail “Dot Addresses” to Commit Fraud – Schneier on Security

keyless entry car relay attack – Google Search

charles proxy android – Google Search

evilginx – Google Search

clear web data breaches – Google Search

why do hotels require passports – Google Search

MEGA data breach – Google Search

tarahmarie/nerdlist: list of passwords more likely to be used by sysadmins, general nerds, and folk with access

Open sourcing ClusterFuzz | Google Open Source Blog

Dream Market at DuckDuckGo



Open sourcing ClusterFuzz | Google Open Source Blog

usb device driver infect at DuckDuckGo

nist phone sms 2fa at DuckDuckGo

NIST declares the age of SMS-based 2-factor authentication over | TechCrunch

Sms 2fa not secure at DuckDuckGo

Top Cyber Security Journalist Award Winnners | SANS Institute

xkcd: Voting Software

The passwordless web explained – Naked Security

Improvements for Sharing Securely on Box | Box Blog

Online safety cartoons for young kids

The passwordless web explained – Naked Security

CheatSheetSeries/ at master · OWASP/CheatSheetSeries

W3C approves WebAuthn as the web standard for password-free logins | VentureBeat

us munitions list – Google Search

Electronic Frontier Foundation | Defending your rights in the digital world

The Threat Intelligence Handbook | Recorded Future | Fighting malware and botnets

SSL Server Test (Powered by Qualys SSL Labs)


Making Passwords Simple | SANS Security Awareness

A Few Simple Steps to Vastly Increase Your Privacy Online

Threatpost | The first stop for security news

Jeremy from Marketing – Darknet Diaries Podcast

security.txt – Google Search

dns hijacking – Google Search

Special Publication 800-63 | NIST

Hack-with-Github/Awesome-Hacking: A collection of various awesome lists for hackers, pentesters and security researchers

So You Want To Be a Pentester? – Jack Hacks

Why Every Privacy Activist Should Embrace* DNS-over-HTTPS

Top 5 Configuration Mistakes That Create Field Days for Hackers | Threatpost

14 Best Open Source Web Application Vulnerability Scanners [Updated for 2019]

Category:Vulnerability Scanning Tools – OWASP

Canary tokens to detect site cloning – Google Search



OWASP AppSec Day 2018

ThreatPlaybook – Home – ThreatPlaybook

Open Source Security Platform | Snyk

rollbar raygun sentry – Google Search

vulnerability database – Google Search

Data breach detection, prevention and notification – DataBreachToday

retire.js – Google Search

OWASP Dependency Check – OWASP

OWASP Dependency Track Project – OWASP

secure code warrior – Google Search

paper towns on maps – Google Search

pagerduty – Google Search

ThreatPlaybook – Home – ThreatPlaybook

sonatype – Google Search

splunk logging – Google Search

datadog logging – Google Search


Password security

Weekly Update 111 – YouTube

Passwords in online services | ICO

Troy Hunt: Passwords Evolved: Authentication Guidance for the Modern Era


Intel open-sources HE-Transformer, a tool that allows AI models to operate on encrypted data | VentureBeat

Bug Hunting Is Cybersecurity’s Skill of the Future – Infosecurity Magazine

New machine learning algorithm breaks text CAPTCHAs easier than ever | ZDNet

How Facebook Tracks Non-Users via Android Apps | Threatpost | The first stop for security news

ecthros/uncaptcha2: defeating the latest version of ReCaptcha with 91% accuracy

Host Websites On Github –

webhint, the hinting engine for web best practices


Network Scanning

php script to scan ip addresses – Google Search

Script to collect the Hostname, MAC & IP Address – Windows Forum – Spiceworks

IP scanner, give it range of IPs and it’ll return the website title

Smaash/hostscan: php tool for network scanning


LastPass & Have I Been Pwned

lastpass have i been pwned – Google Search

LastPass Forums • View topic – Pwned Passwords check

Use the Security Challenge

LastPass Forums • View topic – Have I Been Pwned Integration?


php – RegEx to find and remove event attributes ex. onclick, onload, onhover etc – Stack Overflow
How do you parse and process HTML/XML in PHP? – Stack Overflow

NIST Asks for Input on Building Secure Software – Nextgov


Rolling out LastPass? Don’t Miss These 5 Tools  – The LastPass Blog
LockPickingLawyer – YouTube
Notifiable Data Breaches Scheme 12‑month Insights Report| Office of the Australian Information Commissioner – OAIC


Security Without Borders