Tyler Cipriani:
GitHub private repos lull us into lazy thinking.
We cram our secrets into git, then shove it off to the most expansive code forge in the history of humanity, and most of the time: everything’s fine.
But GitHub’s ssh host key leak last week demonstrates that private repos are, at best, private-ish.
Take any plaintext, encrypt it & generate a PDF with a QR code that’s easy to scan back in.
Uses the Age format.
The headline is the nut of this story, but here’s CircleCI CTO Rob Zuber with the announcement:
We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing. We will provide you updates about this incident, and our response, as they become available. At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.
This thing scans all 65k ports in 3 seconds, is scriptable with Python, Lua & Shell, “learns” based on your usage, and automatically pipes ports into Nmap.
If you operate an SSH server that receives connections from the public, you owe it to yourself to read this list of things you can do to lock that sucker down.
Wait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow.
This seems like a good enough solution to yet another battle between security and usability.
Multithreaded, cross-platform, reliable & written in Rust.
This tldr from Guilherme Rambo is enough, but read the full post for all the details.
TL;DR: Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.
This bug has since been handled by Apple. Also, after reaching back out to Apple (on Oct 25), Guilherme was told he’d be receiving a $7,000 (USD) bug bounty payment for reporting the issue.
Julie Qiu, announcing Go’s new support for vulnerability management:
Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.
There’s a new govulncheck command you can/should install and run against your project. It surfaces only the vulnerabilities that actually affect you, which is awesome.
Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.
Felix Krause built an iOS browser app that lists the JavaScript commands executed by the iOS app rendering the page. Use it like this:
His findings after using this for a bit are… concerning. Especially TikTok.
Scanners Box also known as scanbox, is a powerful hacker toolkit, which has collected more than 10 categories of open source scanners from Github, including subdomain, database, middleware and other modular design scanner etc. But for other Well-known scanning tools, such as nmap, w3af, brakeman, arachni, nikto, metasploit, aircrack-ng will not be included in the scope of collection.
Toolkit might be a bit misleading. I was imagning some kind of Docker container or Linux distro with all the tools baked in. This is more of a collection of tools (which is why we applied the Awesome topic to it) that you can pick and choose from. Nice collection, though!
Large data-hungry corporations dominate the digital world but with little, or no respect for your privacy. Migrating to open-source applications with a strong emphasis on security will help stop corporations, governments, and hackers from logging, storing or selling your personal data.
Vaultless as in you do not need to manage a password vault.
Instead of storing your passwords in a vault it derives your password on the fly from your master password and supplied realm string (for example, resource URL).
How cool is that?! Here’s an example use:
gokey -p super-secret-master-password -r example.com
Lockdown Mode is the first major capability of its kind designed to offer an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.
It blocks non-image attachment types in Messages, disables JIT compilation in Safari, blocks incoming FaceTime calls from unknown senders, won’t let the phone connect to a computer via a wired connection, and disables the ability to install new configuration profiles.
Chain-bench is an open source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
You can run the tool from a CLI, assuming your code is hosted on GitHub (more SCM hosts coming soon):
chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>
I couldn’t find a comprehensive list of what checks are in the benchmark, but it appears they are referring to this guide. You can see what an example run’s results like like in the README.
dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is created for performing penetration testing against e.g. identity verification and video conferencing systems, for the use by security analysts, Red Team members, and biometrics researchers.
What’s crazy is dot deepfakes don’t require any additional training. 🤯
Ken Kantzer was part of ~20 code audits of companies that had just raised their A or B rounds of funding:
It was fascinating work – we dove deep on a great cross-section of stacks and architectures, across a wide variety of domains. We found all sorts of security issues, ranging from catastrophic to just plain interesting. And we also had a chance to chat with senior engineering leadership and CTOs more generally about the engineering and product challenges they were facing as they were just starting to scale.
In this post he shares some of the more surprising things he’s learned from the experience. There’s a lot to digest in this post, but I’ll highlight my favorite to whet your whistle:
Simple Outperformed Smart. As a self-admitted elitist, it pains me to say this, but it’s true: the startups we audited that are now doing the best usually had an almost brazenly ‘Keep It Simple’ approach to engineering. Cleverness for cleverness sake was abhorred. On the flip side, the companies where we were like ”woah, these folks are smart as hell” for the most part kind of faded.
Mike Hanley on GitHub’s blog:
The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain…
Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.
After recording Ship It! #46, Nabeel Sulieman and Gerhard stuck around to pair on getting KCert (a simpler alternative to cert-manager) set up on our LKE infra. It works!
You might not need this curated checklist of 300+ tips for protecting digital security and privacy (you probably do), but I bet there’s someone in your life who does (you probably do, too).
Wireshark is a seriously cool piece of software for packet sniffing and analysis. Why might you want to use it on yourself?
This opens up possibilities to not only reverse engineer web app private APIs in a deeper way, but also to do the same kind of research against desktop apps for purposes such as data scraping, automation, vulnerability research and privacy analysis.
Said root access is achieved on DevOops – a medium-rated, retired machine on HackTheBox. The hack begins with a web server that hosts XML file uploads and ends with… well, I won’t spoiler it for you. Follow along and try to get root for yourself!
Avi Lumelsky shares his journey finding and reporting databases with sensitive data about Fortune-500 companies, hospitals, crypto platforms, startups during due diligence, and more.
His major entry point: misconfiguration
Linux users on Tuesday got a major dose of bad news—a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.
Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.
Oh my. It requires local access first, which is the only good news here.
Oliver Brotchie developed this CSS fingerprinting technique that requires no Javascript or Cookies to function and avoids anti-tracking methods such as NoScript, VPNs or browser extensions.
CSS Fingerprinting is a technique of tracking and gathering information on site visitors. This method exploits the nature of CSS to track various characteristics about the visitor’s browser and device, which can later be used to either identify or track said visitor.
Right now, at current spec, this method doesn’t scale, but with the next upcoming draft of the CSS specification, CSS Values 4, it will become far more scalable and precise.
