Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
246 Stories
All Topics

Security circleci.com

Time to rotate any secrets you have stored in CircleCI

The headline is the nut of this story, but here’s CircleCI CTO Rob Zuber with the announcement:

We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.

Practical AI Practical AI #201

Protecting us with the Database of Evil

Online platforms and their users are susceptible to a barrage of threats – from disinformation to extremism to terror. Daniel and Chris chat with Matar Haller, VP of Data at ActiveFence, a leader in identifying online harm – is using a combination of AI technology and leading subject matter experts to provide Trust & Safety teams with precise, real-time data, in-depth intelligence, and automated tools to protect users and ensure safe online experiences.

iOS rambo.codes

iOS bug "SiriSpy" allowed apps to eavesdrop on your conversations with Siri

This tldr from Guilherme Rambo is enough, but read the full post for all the details.

TL;DR: Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.

This bug has since been handled by Apple. Also, after reaching back out to Apple (on Oct 25), Guilherme was told he’d be receiving a $7,000 (USD) bug bounty payment for reporting the issue.

Ship It! Ship It! #76

Container base images with glibc & musl

In today’s episode, we talk about distroless, ko, apko, melange, musl and glibc. The context is Wolfi OS, a community Linux OS designed for the container and cloud-native era. If you are looking for the lightest possible container base image with 0 CVEs and both glibc and musl support, Wolfi OS & the related chainguard-images are worth checking out.

Ariadne Conill is an Alpine Linux TSC member & Software Engineer at Chainguard.

Julie Qiu go.dev

Vulnerability management for Go

Julie Qiu, announcing Go’s new support for vulnerability management:

Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.

There’s a new govulncheck command you can/should install and run against your project. It surfaces only the vulnerabilities that actually affect you, which is awesome.

Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.

iOS krausefx.com

See what JS commands get injected through an in-app browser on iOS

Felix Krause built an iOS browser app that lists the JavaScript commands executed by the iOS app rendering the page. Use it like this:

  1. Open an app you want to analyze
  2. Share the URL somewhere inside the app (e.g. send a DM to a friend, or post to your feed)
  3. Tap on the link inside the app to open it
  4. Read the report on the screen

His findings after using this for a bit are… concerning. Especially TikTok.

Awesome Lists github.com

A powerful open source toolkit for hackers & security automation

Scanners Box also known as scanbox, is a powerful hacker toolkit, which has collected more than 10 categories of open source scanners from Github, including subdomain, database, middleware and other modular design scanner etc. But for other Well-known scanning tools, such as nmap, w3af, brakeman, arachni, nikto, metasploit, aircrack-ng will not be included in the scope of collection.

Toolkit might be a bit misleading. I was imagning some kind of Docker container or Linux distro with all the tools baked in. This is more of a collection of tools (which is why we applied the Awesome topic to it) that you can pick and choose from. Nice collection, though!

Apple apple.com

Apple adds a Lockdown Mode for "extreme protection"

Lockdown Mode is the first major capability of its kind designed to offer an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.

It blocks non-image attachment types in Messages, disables JIT compilation in Safari, blocks incoming FaceTime calls from unknown senders, won’t let the phone connect to a computer via a wired connection, and disables the ability to install new configuration profiles.

Ship It! Ship It! #58

How to keep a secret

Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets.

What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know?

Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.

Security github.com

Chain-bench – a tool for auditing your software supply chain

Chain-bench is an open source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

You can run the tool from a CLI, assuming your code is hosted on GitHub (more SCM hosts coming soon):

chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>

I couldn’t find a comprehensive list of what checks are in the benchmark, but it appears they are referring to this guide. You can see what an example run’s results like like in the README.

Security github.com

The Deepfake Offensive Toolkit

dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is created for performing penetration testing against e.g. identity verification and video conferencing systems, for the use by security analysts, Red Team members, and biometrics researchers.

What’s crazy is dot deepfakes don’t require any additional training. 🤯

The Deepfake Offensive Toolkit
Player art
  0:00 / 0:00