Latest activity

Gregory Childers · Oct 14, 2024

Bofy Idiodi said:
Still no response officially on this?

I have heard no official response yet.

precious · Oct 14, 2024

Gregory Childers · Oct 14, 2024

I've got a side question. Why do we still refer to SSL when it was deprecated in June 2015? The current standard is TLS 1.3 which was defined in August 2018.

Gregory Childers · Oct 14, 2024

Has anyone gotten the voucher for DataX yet?

precious · Oct 14, 2024

Michael Schmitz said:
i posted it as a ressource here. There is it later easier to find..

Thank you for the Information.

Great thanks

Rick Butler · Oct 14, 2024

TraceyO said:
Thank you, Rick!

I took it from home, and it took me a loooong time to get the Pearson onvue website to work. For some reason the website wouldn't work on my phone no matter which browser I used. So I had to use an external web cam to take pictures of my license, myself, and my desk. That took about 45 minutes, I was a little scared that I would miss my window, but everything worked out just in time. I would have just driven to a test site, but I live about an hour away from the nearest one.

I enjoyed the exam content. I was able to go through the questions pretty quickly. I've been working in data for about five years, and I've recently been studying for Data+ That helped a bunch. I think I'll sit the Data+ soon while everything is still fresh in my brain.

Very nice. I'm a OnVUE hater; always deferring to the ol' test center for my testing - since my preferred one is run by people I know and like, I'd rather they get the money for the testing.

I've done Databasing in one form or another for...sheesh...25 years? The cloud bits and NoSQL architectures are newer to me, so I'm putting more time in that.

I got a bit behind on the CompTIA cadence, as I've been working on Azure SC stuff. But hopefully here soon.

But congrats again on your win and good luck on Data+!

/r

Rick Butler · Oct 14, 2024

Hmm... I guess we didn't get the book on it...i thought we did, since we did get one for DataSys+...been a while.

precious · Oct 14, 2024

Hello everyone,

I hope you’re all doing well! I wanted to share a recent teaching experience related to SSL/TLS certificate verification and seek your insights on a particular point of confusion that came up in class.

During a session on secure communications, I had my students test the SSL/TLS configuration of a web server using OpenSSL. We used the following command to retrieve and display the certificate details:

openssl s_client -connect 192.168.100.30:443 -showcerts

This command successfully connected to the server and displayed the server’s certificate chain. However, one student asked about the process of verifying whether the certificate is valid and trusted, particularly regarding the role of Certificate Authorities (CAs).

To clarify, I explained that the verification process involves checking several factors, including:

Whether the certificate is signed by a trusted CA.
The certificate’s expiration date.
The certificate's revocation status, often checked through OCSP (Online Certificate Status Protocol).

However, I realized I could provide more depth on how to perform these checks effectively. For example, we can check the certificate expiration date using:

openssl x509 -in certificate.crt -noout -dates

I’d love to hear your suggestions on the following:

How can I effectively demonstrate the entire SSL/TLS verification process in class, including checking the certificate’s revocation status?
Are there any additional tools or techniques you recommend for teaching about certificate verification and the role of CAs in ensuring secure communications?

Thank you for your insights!

TraceyO · Oct 14, 2024

Congratulations!

TraceyO · Oct 14, 2024

Rick Butler said:
Strange. Should be there. Did you not sit the Data+ TTT?

Yep, I attended the DataX recently. I got access to the Test out CertMaster Perform. However, when I go under the "resources" tab I don't see an instructor guide listed. It got me wondering if the book is being replaced with CertMaster materials, or if there will be one released down the road.

TraceyO · Oct 14, 2024

Rick Butler said:
Nice job, Tracy...how did it go for you? I'm working on it now, actually - I think I'll take a shot at it around Thanksgiving...

Thank you, Rick!

I took it from home, and it took me a loooong time to get the Pearson onvue website to work. For some reason the website wouldn't work on my phone no matter which browser I used. So I had to use an external web cam to take pictures of my license, myself, and my desk. That took about 45 minutes, I was a little scared that I would miss my window, but everything worked out just in time. I would have just driven to a test site, but I live about an hour away from the nearest one.

I enjoyed the exam content. I was able to go through the questions pretty quickly. I've been working in data for about five years, and I've recently been studying for Data+ That helped a bunch. I think I'll sit the Data+ soon while everything is still fresh in my brain.

Patrick Asamago · Oct 14, 2024

congratulations @TraceyO

precious · Oct 14, 2024

Welcome @Emmanuel Phakula Mandala Just find out students struggle during practical fuzzing

Emmanuel Phakula Mandala · Oct 14, 2024

precious said:
1. Cross-Site Scripting (XSS)

If you come across: User input fields (like comments or search bars)

Verify for:

Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.

Persistent XSS: Checking if scripts are stored on the server and reflected back to users.

Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities

If you come across: User input or data handling that may exceed allocated memory

Verify for:

Buffer Overflow: Sending oversized inputs to trigger memory corruption.

Integer Overflow: Providing inputs that exceed maximum integer values.

Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.

Stack Overflow: Causing the call stack to exceed its limit.

Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning

If you come across: User-modifiable data inputs

Verify for: Manipulating data to affect the application's behavior or outcomes.

Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control

If you come across: User permissions or roles within the application

Verify for: Accessing restricted resources or functions without proper authorization.

Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures

If you come across: Data stored or transmitted securely (e.g., passwords, personal data)

Verify for: Weak encryption algorithms or improper key management.

Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws

If you come across: Input fields that interact with databases or APIs

Verify for:

SQL Injection: Manipulating SQL queries through input fields.

Command Injection: Executing arbitrary commands on the server.

Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)

If you come across: Forms that perform state-changing actions

Verify for: Unauthenticated requests being accepted by the application.

Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal

If you come across: File upload or retrieval functions

Verify for: Accessing restricted directories using path traversal techniques.

Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design

If you come across: Flaws in the application's architecture

Verify for: Design weaknesses that expose the application to various attacks.

Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration

If you come across: Default settings in applications or services

Verify for: Misconfigured security settings or unused features being enabled.

Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components

If you come across: Use of libraries or software that are no longer supported

Verify for: Known vulnerabilities associated with outdated components.

Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures

If you come across: Login or authentication mechanisms

Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.

Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)

If you come across: Applications making backend requests based on user input

Verify for: Manipulating requests to access internal services.

Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)

If you come across: User inputs that are executed by the server

Verify for: Ability to execute arbitrary code on the server.

Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation

If you come across: Role or permissions settings

Verify for: Users gaining unauthorized access to higher privilege levels.

Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

If you come across: File inclusion functionalities

Verify for: Ability to include local or remote files that could compromise the application.

Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Thanks for Sharing @precious this is such amazing control to put in place!!!

precious · Oct 14, 2024

Thanks @Chukwunwike_Ndukaji

Emmanuel Phakula Mandala · Oct 14, 2024

Ernest P. Calloway said:
same issue. Seems I get left off the certificate distribution due to the fact that I use a personal email and not my work email.

@Ernest P. Calloway I had to remind stephen in one of the sessions he said he will sort it out..

Emmanuel Phakula Mandala · Oct 14, 2024

congratulations @TraceyO

Chukwunwike_Ndukaji · Oct 14, 2024

Great resource Precious

Hakim Tchala · Oct 14, 2024

Congratulations!

Chris Yang · Oct 14, 2024

I checked that I have the certificate of completion for all sessions. I understand the process takes time, so I am awaiting for the result.

precious · Oct 14, 2024

1. Cross-Site Scripting (XSS)

If you come across: User input fields (like comments or search bars)
- Verify for:
  - Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
  - Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
- Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities

If you come across: User input or data handling that may exceed allocated memory
- Verify for:
  - Buffer Overflow: Sending oversized inputs to trigger memory corruption.
  - Integer Overflow: Providing inputs that exceed maximum integer values.
  - Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
  - Stack Overflow: Causing the call stack to exceed its limit.
- Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning

If you come across: User-modifiable data inputs
- Verify for: Manipulating data to affect the application's behavior or outcomes.
- Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control

If you come across: User permissions or roles within the application
- Verify for: Accessing restricted resources or functions without proper authorization.
- Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures

If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
- Verify for: Weak encryption algorithms or improper key management.
- Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws

If you come across: Input fields that interact with databases or APIs
- Verify for:
  - SQL Injection: Manipulating SQL queries through input fields.
  - Command Injection: Executing arbitrary commands on the server.
- Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)

If you come across: Forms that perform state-changing actions
- Verify for: Unauthenticated requests being accepted by the application.
- Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal

If you come across: File upload or retrieval functions
- Verify for: Accessing restricted directories using path traversal techniques.
- Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design

If you come across: Flaws in the application's architecture
- Verify for: Design weaknesses that expose the application to various attacks.
- Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration

If you come across: Default settings in applications or services
- Verify for: Misconfigured security settings or unused features being enabled.
- Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components

If you come across: Use of libraries or software that are no longer supported
- Verify for: Known vulnerabilities associated with outdated components.
- Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures

If you come across: Login or authentication mechanisms
- Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
- Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)

If you come across: Applications making backend requests based on user input
- Verify for: Manipulating requests to access internal services.
- Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)

If you come across: User inputs that are executed by the server
- Verify for: Ability to execute arbitrary code on the server.
- Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation

If you come across: Role or permissions settings
- Verify for: Users gaining unauthorized access to higher privilege levels.
- Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

If you come across: File inclusion functionalities
- Verify for: Ability to include local or remote files that could compromise the application.
- Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

precious · Oct 13, 2024

abiodun1991 said:
What is the purpose of the pink 3.5mm audio jack on a computer?

To connect a monitor
To connect a microphone
To connect headphones
To connect speakers

explanation

The correct answer is: To connect a microphone.

The pink 3.5mm audio jack on a computer is typically used to connect a microphone. Other audio jacks include the green jack for connecting headphones or speakers and the blue jack for line input.

precious · Oct 13, 2024

abiodun1991 said:
Which feature of the motherboard allows new components to be added?
answer
Socket
Bus
Slot
Port

explanation

The correct answer is: Slot.

Slots on the motherboard allow new components, such as graphics cards, sound cards, or network cards, to be added. These slots provide the physical and electrical connections needed for the components to interface with the motherboard and the rest of the system.

precious · Oct 13, 2024

Rick Butler said:
I believe so - that material is in the CompTIA Store.

Thanks

precious · Oct 13, 2024

Congrats @TraceyO

Latest activity

Latest activity

1. Cross-Site Scripting (XSS)​

2. Overflow Vulnerabilities​

3. Data Poisoning​

4. Broken Access Control​

5. Cryptographic Failures​

6. Injection Flaws​

7. Cross-Site Request Forgery (CSRF)​

8. Directory Traversal​

9. Insecure Design​

10. Security Misconfiguration​

11. End-of-Life or Outdated Components​

12. Identification and Authentication Failures​

13. Server-Side Request Forgery (SSRF)​

14. Remote Code Execution (RCE)​

15. Privilege Escalation​

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

1. Cross-Site Scripting (XSS)​

2. Overflow Vulnerabilities​

3. Data Poisoning​

4. Broken Access Control​

5. Cryptographic Failures​

6. Injection Flaws​

7. Cross-Site Request Forgery (CSRF)​

8. Directory Traversal​

9. Insecure Design​

10. Security Misconfiguration​

11. End-of-Life or Outdated Components​

12. Identification and Authentication Failures​

13. Server-Side Request Forgery (SSRF)​

14. Remote Code Execution (RCE)​

15. Privilege Escalation​

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

Filter

1. Cross-Site Scripting (XSS)

2. Overflow Vulnerabilities

3. Data Poisoning

4. Broken Access Control

5. Cryptographic Failures

6. Injection Flaws

7. Cross-Site Request Forgery (CSRF)

8. Directory Traversal

9. Insecure Design

10. Security Misconfiguration

11. End-of-Life or Outdated Components

12. Identification and Authentication Failures

13. Server-Side Request Forgery (SSRF)

14. Remote Code Execution (RCE)

15. Privilege Escalation

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

1. Cross-Site Scripting (XSS)

2. Overflow Vulnerabilities

3. Data Poisoning

4. Broken Access Control

5. Cryptographic Failures

6. Injection Flaws

7. Cross-Site Request Forgery (CSRF)

8. Directory Traversal

9. Insecure Design

10. Security Misconfiguration

11. End-of-Life or Outdated Components

12. Identification and Authentication Failures

13. Server-Side Request Forgery (SSRF)

14. Remote Code Execution (RCE)

15. Privilege Escalation

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)